From 091404a5a5a5a6153ff4d014ca92c0605e7cd24e Mon Sep 17 00:00:00 2001 From: Mikey Henderson <4452096+fiddlermikey@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:28:58 -0700 Subject: [PATCH 001/108] Ab#55018 (#49) (#53) Co-authored-by: Lee Fine <50836957+leefine02@users.noreply.github.com> --- CHANGELOG.md | 5 +++ README.md | 5 ++- RemoteFile/ApplicationSettings.cs | 2 ++ RemoteFile/Discovery.cs | 3 +- RemoteFile/InventoryBase.cs | 8 ++++- RemoteFile/ManagementBase.cs | 7 +++- RemoteFile/RemoteCertificateStore.cs | 28 ++++++++++++--- RemoteFile/RemoteHandlers/SSHHandler.cs | 19 ++++++---- RemoteFile/config.json | 3 +- integration-manifest.json | 48 +++++++++++++++++++++++++ readme_source.md | 5 ++- 11 files changed, 116 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c76be1a..b4a8d915 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +v2.5.0 +- Add new optional custom field and config.json entries to supply a user id other than "root" for the user to "sudo into" when UseSudo = "Y". There is an optional config.json DefaultSudoImpersonatedUser that will be used at the orchestrator level, and an optional new store type custom field, SudoImpersonatedUser, that overrides the config.json setting for each certificate store. +- Modified the optional sudo command prefix to remove the "-i" option which was creating a new shell for the impersonated id (always root up until this release). Without this option the profile for the logged in user and not the impersonated user will be used when running commands. +- Added Regex checks for Discovery fields (file names, file extensions, and file paths) to enhance security. Only alpha numeric, "/", and "\" characters are allowed for these values. + v2.4.2 - Bug fix: Upgrade BouncyCastle.Cryptography to version 2.3.0 to allow for RFKDB HMAC-SHA-384 support diff --git a/README.md b/README.md index c523dbb1..132c8cf0 100644 --- a/README.md +++ b/README.md @@ -169,6 +169,7 @@ Please consult with your company's system administrator for more information on The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: { "UseSudo": "N", + "DefaultSudoImpersonatedUser": "", "CreateStoreIfMissing": "N", "UseNegotiate": "N", "SeparateUploadFilePath": "", @@ -177,7 +178,8 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo "DefaultOwnerOnStoreCreation": "" } -**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. **Default value if missing - N**. +**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. +**DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. **SeparateUploadFilePath**(Applicable for Linux managed servers only) – Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer itself is performed using SCP or SFTP protocols (see FileT ransferProtocol setting). **Default Value if missing - blank**. @@ -211,6 +213,7 @@ When setting up the certificate store types you wish the Remote File Orchestrato *Custom Fields Tab:* - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. +- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. Entry Parameters Tab: - See specific certificate store type instructions below diff --git a/RemoteFile/ApplicationSettings.cs b/RemoteFile/ApplicationSettings.cs index 914e8fce..2b65a871 100644 --- a/RemoteFile/ApplicationSettings.cs +++ b/RemoteFile/ApplicationSettings.cs @@ -27,6 +27,7 @@ public enum FileTransferProtocolEnum private const string DEFAULT_LINUX_PERMISSION_SETTING = "600"; private const string DEFAULT_OWNER_SETTING = ""; + private const string DEFAULT_SUDO_IMPERSONATION_SETTING = ""; private static Dictionary configuration; @@ -36,6 +37,7 @@ public enum FileTransferProtocolEnum public static string SeparateUploadFilePath { get { return configuration.ContainsKey("SeparateUploadFilePath") ? AddTrailingSlash(configuration["SeparateUploadFilePath"]) : string.Empty; } } public static string DefaultLinuxPermissionsOnStoreCreation { get { return configuration.ContainsKey("DefaultLinuxPermissionsOnStoreCreation") ? configuration["DefaultLinuxPermissionsOnStoreCreation"] : DEFAULT_LINUX_PERMISSION_SETTING; } } public static string DefaultOwnerOnStoreCreation { get { return configuration.ContainsKey("DefaultOwnerOnStoreCreation") ? configuration["DefaultOwnerOnStoreCreation"] : DEFAULT_OWNER_SETTING; } } + public static string DefaultSudoImpersonatedUser { get { return configuration.ContainsKey("DefaultSudoImpersonatedUser") ? configuration["DefaultSudoImpersonatedUser"] : DEFAULT_SUDO_IMPERSONATION_SETTING; } } public static FileTransferProtocolEnum FileTransferProtocol { get diff --git a/RemoteFile/Discovery.cs b/RemoteFile/Discovery.cs index 69c33ac8..42df0c7c 100644 --- a/RemoteFile/Discovery.cs +++ b/RemoteFile/Discovery.cs @@ -15,6 +15,7 @@ using Keyfactor.Orchestrators.Common.Enums; using Microsoft.Extensions.Logging; +using Newtonsoft.Json; namespace Keyfactor.Extensions.Orchestrator.RemoteFile { @@ -57,7 +58,7 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd ApplicationSettings.Initialize(this.GetType().Assembly.Location); certificateStore = new RemoteCertificateStore(config.ClientMachine, userName, userPassword, directoriesToSearch[0].Substring(0, 1) == "/" ? RemoteCertificateStore.ServerTypeEnum.Linux : RemoteCertificateStore.ServerTypeEnum.Windows); - certificateStore.Initialize(); + certificateStore.Initialize(ApplicationSettings.DefaultSudoImpersonatedUser); if (directoriesToSearch.Length == 0) throw new RemoteFileException("Blank or missing search directories for Discovery."); diff --git a/RemoteFile/InventoryBase.cs b/RemoteFile/InventoryBase.cs index 8d0fe637..3931e777 100644 --- a/RemoteFile/InventoryBase.cs +++ b/RemoteFile/InventoryBase.cs @@ -15,6 +15,7 @@ using Keyfactor.Extensions.Orchestrator.RemoteFile.Models; using Microsoft.Extensions.Logging; +using Newtonsoft.Json; namespace Keyfactor.Extensions.Orchestrator.RemoteFile { @@ -46,8 +47,13 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd string storePassword = PAMUtilities.ResolvePAMField(_resolver, logger, "Store Password", config.CertificateStoreDetails.StorePassword); ApplicationSettings.Initialize(this.GetType().Assembly.Location); + dynamic properties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties.ToString()); + string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ? + ApplicationSettings.DefaultSudoImpersonatedUser : + properties.SudoImpersonatedUser.Value; + certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties); - certificateStore.Initialize(); + certificateStore.Initialize(sudoImpersonatedUser); certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, true); List collections = certificateStore.GetCertificateChains(); diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs index a6f9f438..5bb1d432 100644 --- a/RemoteFile/ManagementBase.cs +++ b/RemoteFile/ManagementBase.cs @@ -51,8 +51,13 @@ public JobResult ProcessJob(ManagementJobConfiguration config) string storePassword = PAMUtilities.ResolvePAMField(_resolver, logger, "Store Password", config.CertificateStoreDetails.StorePassword); ApplicationSettings.Initialize(this.GetType().Assembly.Location); + dynamic properties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties.ToString()); + string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ? + ApplicationSettings.DefaultSudoImpersonatedUser : + properties.SudoImpersonatedUser.Value; + certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties); - certificateStore.Initialize(); + certificateStore.Initialize(sudoImpersonatedUser); PathFile storePathFile = RemoteCertificateStore.SplitStorePathFile(config.CertificateStoreDetails.StorePath); diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs index 8569f6fa..901c0b95 100644 --- a/RemoteFile/RemoteCertificateStore.cs +++ b/RemoteFile/RemoteCertificateStore.cs @@ -75,7 +75,7 @@ internal RemoteCertificateStore(string server, string serverId, string serverPas UploadFilePath = !string.IsNullOrEmpty(ApplicationSettings.SeparateUploadFilePath) && ServerType == ServerTypeEnum.Linux ? ApplicationSettings.SeparateUploadFilePath : StorePath; logger.LogDebug($"UploadFilePath: {UploadFilePath}"); - if (!IsStorePathValid()) + if (!IsValueSafeRegex(StorePath + StoreFileName)) { logger.LogDebug("Store path not valid"); string partialMessage = ServerType == ServerTypeEnum.Windows ? @"'\', ':', " : string.Empty; @@ -136,6 +136,14 @@ internal void Terminate() internal List FindStores(string[] paths, string[] extensions, string[] files, bool includeSymLinks) { logger.MethodEntry(LogLevel.Debug); + + if (!AreValuesSafeRegex(paths)) + throw new RemoteFileException(@"Invalid/unsafe directories to search value supplied. Only alphanumeric, /, and \ characters are allowed."); + if (!AreValuesSafeRegex(extensions)) + throw new RemoteFileException(@"Invalid/unsafe file extension value supplied. Only alphanumeric, /, and \ characters are allowed."); + if (!AreValuesSafeRegex(files)) + throw new RemoteFileException(@"Invalid/unsafe file name value supplied. Only alphanumeric, /, and \ characters are allowed."); + logger.MethodExit(LogLevel.Debug); if (DiscoveredStores != null) @@ -331,7 +339,7 @@ internal static PathFile SplitStorePathFile(string pathFileName) } } - internal void Initialize() + internal void Initialize(string sudoImpersonatedUser) { logger.MethodEntry(LogLevel.Debug); @@ -347,7 +355,19 @@ internal void Initialize() logger.MethodExit(LogLevel.Debug); } - private bool IsStorePathValid() + private bool AreValuesSafeRegex(string[] values) + { + bool valueIsSafe = true; + foreach(string value in values) + { + valueIsSafe = IsValueSafeRegex(value.Replace("*",String.Empty)); + if (!valueIsSafe) + break; + } + return valueIsSafe; + } + + private bool IsValueSafeRegex(string value) { logger.MethodEntry(LogLevel.Debug); @@ -355,7 +375,7 @@ private bool IsStorePathValid() logger.MethodExit(LogLevel.Debug); - return regex.IsMatch(StorePath + StoreFileName); + return regex.IsMatch(value); } private List FindStoresLinux(string[] paths, string[] extensions, string[] fileNames, bool includeSymLinks) diff --git a/RemoteFile/RemoteHandlers/SSHHandler.cs b/RemoteFile/RemoteHandlers/SSHHandler.cs index 495cafd8..e5440f5b 100644 --- a/RemoteFile/RemoteHandlers/SSHHandler.cs +++ b/RemoteFile/RemoteHandlers/SSHHandler.cs @@ -24,15 +24,15 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers class SSHHandler : BaseRemoteHandler { private ConnectionInfo Connection { get; set; } - private bool IsStoreServerLinux { get; set; } - + private string SudoImpersonatedUser { get; set; } private SshClient sshClient; - internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux) + internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, string sudoImpersonatedUser) { _logger.MethodEntry(LogLevel.Debug); Server = server; + SudoImpersonatedUser = sudoImpersonatedUser; IsStoreServerLinux = isStoreServerLinux; List authenticationMethods = new List(); @@ -98,13 +98,18 @@ public override string RunCommand(string commandText, object[] arguments, bool w { _logger.MethodEntry(LogLevel.Debug); - string sudo = $"sudo -i -S "; + string sudo = $"sudo -S "; string echo = $"echo -e '\n' | "; try { if (withSudo && IsStoreServerLinux) - commandText = sudo + commandText; + { + if (string.IsNullOrEmpty(SudoImpersonatedUser)) + commandText = sudo + commandText; + else + commandText = sudo + $"-u {SudoImpersonatedUser}" + " " + commandText; + } if (IsStoreServerLinux) { @@ -219,7 +224,6 @@ public override void UploadCertificateFile(string path, string fileName, byte[] if (!string.IsNullOrEmpty(ApplicationSettings.SeparateUploadFilePath) && IsStoreServerLinux) { - //RunCommand($"cat {uploadPath} > {path}/{fileName}", null, ApplicationSettings.UseSudo, null); RunCommand($"tee {path}/{fileName} < {uploadPath} > /dev/null", null, ApplicationSettings.UseSudo, null); RunCommand($"rm {uploadPath}", null, ApplicationSettings.UseSudo, null); } @@ -243,7 +247,8 @@ public override byte[] DownloadCertificateFile(string path) SplitStorePathFile(path, out altPathOnly, out altFileNameOnly); downloadPath = ApplicationSettings.SeparateUploadFilePath + altFileNameOnly; RunCommand($"cp {path} {downloadPath}", null, ApplicationSettings.UseSudo, null); - RunCommand($"chown {Connection.Username} {downloadPath}", null, ApplicationSettings.UseSudo, null); + if (string.IsNullOrEmpty(SudoImpersonatedUser)) + RunCommand($"chown {Connection.Username} {downloadPath}", null, ApplicationSettings.UseSudo, null); } bool scpError = false; diff --git a/RemoteFile/config.json b/RemoteFile/config.json index 24999a06..3e638d79 100644 --- a/RemoteFile/config.json +++ b/RemoteFile/config.json @@ -1,9 +1,10 @@ { "UseSudo": "N", + "DefaultSudoImpersonatedUser": "", "CreateStoreIfMissing": "N", "UseNegotiate": "N", "SeparateUploadFilePath": "", "FileTransferProtocol": "SCP", "DefaultLinuxPermissionsOnStoreCreation": "600", - "DefaultOwnerOnStoreCreation": "" + "DefaultOwnerOnStoreCreation": "" } \ No newline at end of file diff --git a/integration-manifest.json b/integration-manifest.json index 641a20a9..bb423a33 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -68,6 +68,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -110,6 +118,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "IsTrustStore", "DisplayName": "Trust Store", @@ -190,6 +206,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -232,6 +256,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "SeparatePrivateKeyFilePath", "DisplayName": "Separate Private Key File Location", @@ -280,6 +312,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -322,6 +362,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "WorkFolder", "DisplayName": "Location to use for creation/removal of work files", diff --git a/readme_source.md b/readme_source.md index 574a4ca5..452661dc 100644 --- a/readme_source.md +++ b/readme_source.md @@ -68,6 +68,7 @@ Please consult with your company's system administrator for more information on The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: { "UseSudo": "N", + "DefaultSudoImpersonatedUser": "", "CreateStoreIfMissing": "N", "UseNegotiate": "N", "SeparateUploadFilePath": "", @@ -76,7 +77,8 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo "DefaultOwnerOnStoreCreation": "" } -**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. **Default value if missing - N**. +**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. +**DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. **SeparateUploadFilePath**(Applicable for Linux managed servers only) – Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer itself is performed using SCP or SFTP protocols (see FileT ransferProtocol setting). **Default Value if missing - blank**. @@ -110,6 +112,7 @@ When setting up the certificate store types you wish the Remote File Orchestrato *Custom Fields Tab:* - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. +- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. Entry Parameters Tab: - See specific certificate store type instructions below From 6d2ce9b6fb244844abaddffa8dd1c2c21e4fc81e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 17 Apr 2024 17:33:46 +0000 Subject: [PATCH 002/108] ab#55565 --- RemoteFile/RemoteCertificateStore.cs | 2 +- RemoteFile/RemoteHandlers/SSHHandler.cs | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs index 901c0b95..3d8b5028 100644 --- a/RemoteFile/RemoteCertificateStore.cs +++ b/RemoteFile/RemoteCertificateStore.cs @@ -346,7 +346,7 @@ internal void Initialize(string sudoImpersonatedUser) bool treatAsLocal = Server.ToLower().EndsWith(LOCAL_MACHINE_SUFFIX); if (ServerType == ServerTypeEnum.Linux || RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) - RemoteHandler = treatAsLocal ? new LinuxLocalHandler() as IRemoteHandler : new SSHHandler(Server, ServerId, ServerPassword, ServerType == ServerTypeEnum.Linux) as IRemoteHandler; + RemoteHandler = treatAsLocal ? new LinuxLocalHandler() as IRemoteHandler : new SSHHandler(Server, ServerId, ServerPassword, ServerType == ServerTypeEnum.Linux, sudoImpersonatedUser) as IRemoteHandler; else RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword, treatAsLocal); diff --git a/RemoteFile/RemoteHandlers/SSHHandler.cs b/RemoteFile/RemoteHandlers/SSHHandler.cs index e5440f5b..64668815 100644 --- a/RemoteFile/RemoteHandlers/SSHHandler.cs +++ b/RemoteFile/RemoteHandlers/SSHHandler.cs @@ -25,6 +25,7 @@ class SSHHandler : BaseRemoteHandler { private ConnectionInfo Connection { get; set; } private string SudoImpersonatedUser { get; set; } + private bool IsStoreServerLinux { get; set; } private SshClient sshClient; internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, string sudoImpersonatedUser) From 781e8e8b02c1182ecf0d78fa98b1f19cfc2183c7 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 18 Apr 2024 14:16:56 +0000 Subject: [PATCH 003/108] ab#55565 --- RemoteFile/ManagementBase.cs | 4 ++-- RemoteFile/RemoteHandlers/LinuxLocalHandler.cs | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs index 5bb1d432..a6c213c7 100644 --- a/RemoteFile/ManagementBase.cs +++ b/RemoteFile/ManagementBase.cs @@ -64,7 +64,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config) switch (config.OperationType) { case CertStoreOperationType.Add: - logger.LogDebug($"BEGIN create Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}."); + logger.LogDebug($"BEGIN add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}."); if (!certificateStore.DoesStoreExist()) { if (ApplicationSettings.CreateStoreIfMissing) @@ -76,7 +76,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config) certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword); certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler)); - logger.LogDebug($"END create Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}."); + logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}."); break; case CertStoreOperationType.Remove: diff --git a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs index 733ac69a..8195ad44 100644 --- a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs +++ b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs @@ -51,7 +51,7 @@ public override string RunCommand(string commandText, object[] arguments, bool w { _logger.MethodEntry(LogLevel.Debug); - string sudo = $"echo -e '\n' | sudo -i -S "; + string sudo = $"echo -e \\n | sudo -S "; try { From b104f84909494417469a1ca9db30ad6891c8455e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 18 Apr 2024 14:24:03 +0000 Subject: [PATCH 004/108] ab#55565 --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4a8d915..3755b8ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +v2.6.0 +- Added ability for Linux installed universal orchestrator to manage stores as an "agent" (stores reside on same server as universal orchestrator) without the need to have SSH enabled. +- Added ability for Linux installed universal orchestrator to manage certificate stores on Windows servers by using SSH to communicate between the Linux UO server and the Windows machines hosting the certificate stores. +- Modified Discovery against Linux servers to use the -name option instead of -iname for the Linux shell "find" command, so Discovery will work for AIX servers. + v2.5.0 - Add new optional custom field and config.json entries to supply a user id other than "root" for the user to "sudo into" when UseSudo = "Y". There is an optional config.json DefaultSudoImpersonatedUser that will be used at the orchestrator level, and an optional new store type custom field, SudoImpersonatedUser, that overrides the config.json setting for each certificate store. - Modified the optional sudo command prefix to remove the "-i" option which was creating a new shell for the impersonated id (always root up until this release). Without this option the profile for the logged in user and not the impersonated user will be used when running commands. From 12d1f729376554c9d3771d3c02373584b9c18a43 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Fri, 19 Apr 2024 19:09:05 +0000 Subject: [PATCH 005/108] ab#55565 --- CHANGELOG.md | 1 + RemoteFile/RemoteCertificateStore.cs | 3 --- RemoteFile/RemoteFile.csproj | 5 ++--- RemoteFile/RemoteHandlers/WinRMHandler.cs | 1 - 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3755b8ea..ce9e0e70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ v2.6.0 - Added ability for Linux installed universal orchestrator to manage stores as an "agent" (stores reside on same server as universal orchestrator) without the need to have SSH enabled. - Added ability for Linux installed universal orchestrator to manage certificate stores on Windows servers by using SSH to communicate between the Linux UO server and the Windows machines hosting the certificate stores. - Modified Discovery against Linux servers to use the -name option instead of -iname for the Linux shell "find" command, so Discovery will work for AIX servers. +- Upgraded several NuGet packages. v2.5.0 - Add new optional custom field and config.json entries to supply a user id other than "root" for the user to "sudo into" when UseSudo = "Y". There is an optional config.json DefaultSudoImpersonatedUser that will be used at the orchestrator level, and an optional new store type custom field, SudoImpersonatedUser, that overrides the config.json setting for each certificate store. diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs index 3d8b5028..3e23edd6 100644 --- a/RemoteFile/RemoteCertificateStore.cs +++ b/RemoteFile/RemoteCertificateStore.cs @@ -12,7 +12,6 @@ using System.Security.Cryptography.X509Certificates; using System.Text; using System.Text.RegularExpressions; -using System.Threading; using Microsoft.Extensions.Logging; @@ -22,9 +21,7 @@ using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers; using Keyfactor.Extensions.Orchestrator.RemoteFile.Models; using Keyfactor.Logging; -using System.Management.Automation; using System.Runtime.InteropServices; -using Microsoft.CodeAnalysis.CSharp.Syntax; namespace Keyfactor.Extensions.Orchestrator.RemoteFile { diff --git a/RemoteFile/RemoteFile.csproj b/RemoteFile/RemoteFile.csproj index dc4d77a0..1ee2cf4e 100644 --- a/RemoteFile/RemoteFile.csproj +++ b/RemoteFile/RemoteFile.csproj @@ -2,7 +2,7 @@ false - netcoreapp3.1 + net6.0 true @@ -25,8 +25,7 @@ - - + diff --git a/RemoteFile/RemoteHandlers/WinRMHandler.cs b/RemoteFile/RemoteHandlers/WinRMHandler.cs index e19c0033..c8842837 100644 --- a/RemoteFile/RemoteHandlers/WinRMHandler.cs +++ b/RemoteFile/RemoteHandlers/WinRMHandler.cs @@ -8,7 +8,6 @@ using System; using System.Collections.Generic; using System.Management.Automation; -using System.Management.Automation.Remoting; using System.Management.Automation.Runspaces; using System.Net; using System.Text; From 854181358ccd4e3bb7adf3fc8d637503d68ee033 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 13:31:39 +0000 Subject: [PATCH 006/108] ab#55565 --- readme_source.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 452661dc..027eb3e4 100644 --- a/readme_source.md +++ b/readme_source.md @@ -27,7 +27,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Security Considerations -**For Linux orchestrated servers:** +
+**For Linux orchestrated servers:** 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -45,8 +46,10 @@ The version number of a the Remote File Orchestrator Extension can be verified b 2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). 3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +
-**For Windows orchestrated servers:** +
+**For Windows orchestrated servers:** 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. @@ -61,6 +64,7 @@ Please consult with your company's system administrator for more information on 6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. +
    ## Configuration File Setup From 58c1d4c9934dc74e670206f33223f5f54682af46 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 13:48:27 +0000 Subject: [PATCH 007/108] Update generated README --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 132c8cf0..dee12dfe 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Security Considerations -**For Linux orchestrated servers:** +
+**For Linux orchestrated servers:** 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -146,8 +147,10 @@ The version number of a the Remote File Orchestrator Extension can be verified b 2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). 3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +
-**For Windows orchestrated servers:** +
+**For Windows orchestrated servers:** 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. @@ -162,6 +165,7 @@ Please consult with your company's system administrator for more information on 6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. +
    ## Configuration File Setup From 365999a023bcadc790f5f5a27f098ac788b59fb6 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 13:50:07 +0000 Subject: [PATCH 008/108] ab#55565 --- readme_source.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/readme_source.md b/readme_source.md index 027eb3e4..95ca38ea 100644 --- a/readme_source.md +++ b/readme_source.md @@ -46,10 +46,10 @@ The version number of a the Remote File Orchestrator Extension can be verified b 2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). 3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. - + -
-**For Windows orchestrated servers:** +
+ **For Windows orchestrated servers:** 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. @@ -64,7 +64,7 @@ Please consult with your company's system administrator for more information on 6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. -
+
    ## Configuration File Setup From 4f4747b815a7492a282b56b362d3a03541386237 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 13:50:46 +0000 Subject: [PATCH 009/108] Update generated README --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index dee12dfe..12ab5ae9 100644 --- a/README.md +++ b/README.md @@ -147,10 +147,10 @@ The version number of a the Remote File Orchestrator Extension can be verified b 2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). 3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. - + -
-**For Windows orchestrated servers:** +
+ **For Windows orchestrated servers:** 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. @@ -165,7 +165,7 @@ Please consult with your company's system administrator for more information on 6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. -
+
    ## Configuration File Setup From cea5e1b560eb1e3df050027705bd4233c03b655e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 13:57:09 +0000 Subject: [PATCH 010/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index 95ca38ea..63f5d6ce 100644 --- a/readme_source.md +++ b/readme_source.md @@ -49,7 +49,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
- **For Windows orchestrated servers:** +For Windows orchestrated servers: 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. From 733bd749c7854b06260235cbce141096c4326152 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 13:57:44 +0000 Subject: [PATCH 011/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12ab5ae9..950b67ce 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
- **For Windows orchestrated servers:** +For Windows orchestrated servers: 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. From c0f50ea432ecdfa8c0f00e3d653842ef68f72cc0 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 13:59:20 +0000 Subject: [PATCH 012/108] ab#55565 --- readme_source.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index 63f5d6ce..1a009cbc 100644 --- a/readme_source.md +++ b/readme_source.md @@ -28,7 +28,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Security Considerations
-**For Linux orchestrated servers:** +For Linux orchestrated servers: 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -65,8 +65,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service.
-  -  +\ +\ ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From b55329538981cc167317e43f0b013dc698011806 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 13:59:55 +0000 Subject: [PATCH 013/108] Update generated README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 950b67ce..1a91e208 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Security Considerations
-**For Linux orchestrated servers:** +For Linux orchestrated servers: 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -166,8 +166,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service.
-  -  +\ +\ ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From 4a93b54b3b53c6206520ed6f688666062b3724cb Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:02:47 +0000 Subject: [PATCH 014/108] ab#55565 --- readme_source.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 1a009cbc..cb958106 100644 --- a/readme_source.md +++ b/readme_source.md @@ -65,8 +65,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service.
-\ -\ +  +  ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From 166468fef4e38279457e252591997a1a976af4f4 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:03:18 +0000 Subject: [PATCH 015/108] Update generated README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a91e208..fb2e1280 100644 --- a/README.md +++ b/README.md @@ -166,8 +166,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. -\ -\ +  +  ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From ed584c12e8dafa424a2379727ba38995688d3c8f Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:04:29 +0000 Subject: [PATCH 016/108] ab#55565 --- readme_source.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index cb958106..0f78df1b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -65,8 +65,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. -  -  + + ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From c1928d672a43bc99922a3d22551fb0a407e9ca43 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:05:00 +0000 Subject: [PATCH 017/108] Update generated README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fb2e1280..484c07f8 100644 --- a/README.md +++ b/README.md @@ -166,8 +166,8 @@ Please consult with your company's system administrator for more information on 7. Modify the config.json file (See the "Configuration File Setup" section later in this README) 8. Start the Keyfactor Universal Orchestrator Service. -  -  + + ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From 1de87a81ae8116013fac9cd5be9bfdd9b63db8f3 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:06:20 +0000 Subject: [PATCH 018/108] ab#55565 --- readme_source.md | 1 + 1 file changed, 1 insertion(+) diff --git a/readme_source.md b/readme_source.md index 0f78df1b..56dc5813 100644 --- a/readme_source.md +++ b/readme_source.md @@ -67,6 +67,7 @@ Please consult with your company's system administrator for more information on +  ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From ac92ee4ecafdf24c8e7dcff5a1321abe862cc4ab Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:06:56 +0000 Subject: [PATCH 019/108] Update generated README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 484c07f8..1badd2f4 100644 --- a/README.md +++ b/README.md @@ -168,6 +168,7 @@ Please consult with your company's system administrator for more information on +  ## Configuration File Setup The Remote File Orchestrator Extension uses a JSON configuration file. It is located in the {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. None of the values are required, and a description of each follows below: From 351e36a7c6bb2cca91901908d3655983b41cd996 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:22:04 +0000 Subject: [PATCH 020/108] ab#55565 --- readme_source.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index 56dc5813..01261826 100644 --- a/readme_source.md +++ b/readme_source.md @@ -25,7 +25,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b     -## Security Considerations +## Prerequisites and Security Considerations
For Linux orchestrated servers: @@ -50,7 +50,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
For Windows orchestrated servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). +1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment.   @@ -82,7 +82,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo "DefaultOwnerOnStoreCreation": "" } -**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. +
+UseSudo (Applicable for Linux orchestrated servers only) +* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. +* Allowed values - Y/N +* Default value - N **DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. From 64ec1c6105050df283cb08ddb1c4b132d863c0ec Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:22:42 +0000 Subject: [PATCH 021/108] Update generated README --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1badd2f4..7f71fe40 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b     -## Security Considerations +## Prerequisites and Security Considerations
For Linux orchestrated servers: @@ -151,7 +151,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
For Windows orchestrated servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). +1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment.   @@ -183,7 +183,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo "DefaultOwnerOnStoreCreation": "" } -**UseSudo** (Applicable for Linux orchestrated servers only) - Y/N - Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. For Windows orchestrated servers, this setting has no effect. Setting this value to "N" will result in "sudo" not being added to Linux commands. +
+UseSudo (Applicable for Linux orchestrated servers only) +* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. +* Allowed values - Y/N +* Default value - N **DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. From 21ee74b6cafb04480ebe51972849d20ba42ef7b9 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:23:10 +0000 Subject: [PATCH 022/108] ab#55565 --- readme_source.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/readme_source.md b/readme_source.md index 01261826..892ef04b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -87,6 +87,9 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N * Default value - N +
+ + **DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. From 3c5dd13243af6d11565eaecfca1eab4af88fd3d6 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:23:48 +0000 Subject: [PATCH 023/108] Update generated README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 7f71fe40..6302dbe7 100644 --- a/README.md +++ b/README.md @@ -188,6 +188,9 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N * Default value - N +
+ + **DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. **CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. **UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. From 42adbb5c07d69210b6caedd283cd3656db7c588e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:24:40 +0000 Subject: [PATCH 024/108] ab#55565 --- readme_source.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readme_source.md b/readme_source.md index 892ef04b..d27227d5 100644 --- a/readme_source.md +++ b/readme_source.md @@ -84,9 +84,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
UseSudo (Applicable for Linux orchestrated servers only) + * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N * Default value - N +
From cb75dce4663f38c8d347ce2e7d662bfb80d9c45a Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:25:16 +0000 Subject: [PATCH 025/108] Update generated README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 6302dbe7..8d3824f0 100644 --- a/README.md +++ b/README.md @@ -185,9 +185,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
UseSudo (Applicable for Linux orchestrated servers only) + * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N * Default value - N +
From bf39023efecd833cf74294cb86ddbae7468b4ad4 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:47:43 +0000 Subject: [PATCH 026/108] ab#55565 --- readme_source.md | 70 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 62 insertions(+), 8 deletions(-) diff --git a/readme_source.md b/readme_source.md index d27227d5..9c36b7ad 100644 --- a/readme_source.md +++ b/readme_source.md @@ -83,7 +83,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo }
-UseSudo (Applicable for Linux orchestrated servers only) +UseSudo (Applicable for Linux orchestrated servers only) * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N @@ -91,14 +91,68 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
+
+DefaultSudoImpersonatedUser (Applicable for Linux orchestrated servers only) + +* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. +* Allowed values - Any valid user id that the destination Linux server will recognize +* Default value - blank (root will be used) + +
+ +
+CreateStoreOnAddIfMissing + +* Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. +* Allowed values - Y/N +* Default value - N + +
+ +
+UseNegotiateAuth (Applicable for Windows orchestrated servers only) + +* Determines if WinRM should use Negotiate (Y) when connecting to the remote server. +* Allowed values - Y/N +* Default value - N + +
+ +
+SeparateUploadFilePath(Applicable for Linux managed servers only) + +* Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). +* Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. +* Default value - blank (actual store path will be used) + +
+ +
+FileTransferProtocol (Applicable for Linux orchestrated servers only) + +* Determines the protocol to use when uploading/downloading files while processing a job. +* Allowed values - SCP, SFTP or Both. If "Both" is entered, SCP will be attempted first, and if that does not work, SFTP will be tried. +* Default value - SCP. + +
+ +
+DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux managed servers only) + +* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). +* Allowed values - Any 3 digit value from 000-777. +* Default Value - 600. + +
+ +
+DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) +* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. +* Allowed values - Any valid user id that the destination Linux server will recognize +* Default Value - blank (the ID associated with the Keyfactor certificate store will be used). + +
-**DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. -**CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. -**UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. -**SeparateUploadFilePath**(Applicable for Linux managed servers only) – Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer itself is performed using SCP or SFTP protocols (see FileT ransferProtocol setting). **Default Value if missing - blank**. -**FileTransferProtocol** (Applicable for Linux orchestrated servers only) - SCP/SFTP/Both - Determines the protocol to use when uploading/downloading files while processing a job. Valid values are: SCP - uses SCP, SFTP - uses SFTP, or Both - will attempt to use SCP first, and if that does not work, will attempt the file transfer via SFTP. **Default Value if missing - SCP**. -**DefaultLinuxPermissionsOnStoreCreation** (Applicable for Linux managed servers only) - Value must be 3 digits all between 0-7. The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). **Default Value if missing - 600**. -**DefaultOwnerOnStoreCreation** (Applicable for Linux managed servers only) - When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. **Default Value if missing - blank**.     ## Certificate Store Types From 1793325741a2e2e053ea64765b8872132c4602a8 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:48:17 +0000 Subject: [PATCH 027/108] Update generated README --- README.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 62 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 8d3824f0..ec66f6a6 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo }
-UseSudo (Applicable for Linux orchestrated servers only) +UseSudo (Applicable for Linux orchestrated servers only) * Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. * Allowed values - Y/N @@ -192,14 +192,68 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
+
+DefaultSudoImpersonatedUser (Applicable for Linux orchestrated servers only) + +* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. +* Allowed values - Any valid user id that the destination Linux server will recognize +* Default value - blank (root will be used) + +
+ +
+CreateStoreOnAddIfMissing + +* Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. +* Allowed values - Y/N +* Default value - N + +
+ +
+UseNegotiateAuth (Applicable for Windows orchestrated servers only) + +* Determines if WinRM should use Negotiate (Y) when connecting to the remote server. +* Allowed values - Y/N +* Default value - N + +
+ +
+SeparateUploadFilePath(Applicable for Linux managed servers only) + +* Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). +* Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. +* Default value - blank (actual store path will be used) + +
+ +
+FileTransferProtocol (Applicable for Linux orchestrated servers only) + +* Determines the protocol to use when uploading/downloading files while processing a job. +* Allowed values - SCP, SFTP or Both. If "Both" is entered, SCP will be attempted first, and if that does not work, SFTP will be tried. +* Default value - SCP. + +
+ +
+DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux managed servers only) + +* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). +* Allowed values - Any 3 digit value from 000-777. +* Default Value - 600. + +
+ +
+DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) +* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. +* Allowed values - Any valid user id that the destination Linux server will recognize +* Default Value - blank (the ID associated with the Keyfactor certificate store will be used). + +
-**DefaultSudoImpersonatedUser** (Applicable for Linux orchestrated servers only) - Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. -**CreateStoreOnAddIfMissing** - Y/N - Determines, during a Management-Add job, if a certificate store should be created if it does not already exist. If set to "N", and the store referenced in the Management-Add job is not found, the job will return an error with a message stating that the store does not exist. If set to "Y", the store will be created and the certificate added to the certificate store. **Default value if missing - N**. -**UseNegotiateAuth** (Applicable for Windows orchestrated servers only) – Y/N - Determines if WinRM should use Negotiate (Y) when connecting to the remote server. **Default Value if missing - N**. -**SeparateUploadFilePath**(Applicable for Linux managed servers only) – Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer itself is performed using SCP or SFTP protocols (see FileT ransferProtocol setting). **Default Value if missing - blank**. -**FileTransferProtocol** (Applicable for Linux orchestrated servers only) - SCP/SFTP/Both - Determines the protocol to use when uploading/downloading files while processing a job. Valid values are: SCP - uses SCP, SFTP - uses SFTP, or Both - will attempt to use SCP first, and if that does not work, will attempt the file transfer via SFTP. **Default Value if missing - SCP**. -**DefaultLinuxPermissionsOnStoreCreation** (Applicable for Linux managed servers only) - Value must be 3 digits all between 0-7. The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). **Default Value if missing - 600**. -**DefaultOwnerOnStoreCreation** (Applicable for Linux managed servers only) - When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. **Default Value if missing - blank**.     ## Certificate Store Types From 46ed799e4a6c34e616087c73de99a254984a8502 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 14:53:15 +0000 Subject: [PATCH 028/108] ab#55565 --- readme_source.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/readme_source.md b/readme_source.md index 9c36b7ad..812a9383 100644 --- a/readme_source.md +++ b/readme_source.md @@ -83,16 +83,16 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo }
-UseSudo (Applicable for Linux orchestrated servers only) +UseSudo (Applicable for Linux hosted certificate stores only) -* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. +* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. * Allowed values - Y/N * Default value - N
-DefaultSudoImpersonatedUser (Applicable for Linux orchestrated servers only) +DefaultSudoImpersonatedUser (Applicable for Linux hosted certificate stores only) * Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. * Allowed values - Any valid user id that the destination Linux server will recognize @@ -110,7 +110,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-UseNegotiateAuth (Applicable for Windows orchestrated servers only) +UseNegotiateAuth (Applicable for Windows hosted certificate stores only) * Determines if WinRM should use Negotiate (Y) when connecting to the remote server. * Allowed values - Y/N @@ -119,7 +119,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-SeparateUploadFilePath(Applicable for Linux managed servers only) +SeparateUploadFilePath(Applicable for Linux hosted certificate stores only) * Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). * Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. @@ -128,7 +128,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-FileTransferProtocol (Applicable for Linux orchestrated servers only) +FileTransferProtocol (Applicable for Linux hosted certificate stores only) * Determines the protocol to use when uploading/downloading files while processing a job. * Allowed values - SCP, SFTP or Both. If "Both" is entered, SCP will be attempted first, and if that does not work, SFTP will be tried. @@ -137,7 +137,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux managed servers only) +DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux hosted certificate stores only) * The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). * Allowed values - Any 3 digit value from 000-777. @@ -147,6 +147,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) + * When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. * Allowed values - Any valid user id that the destination Linux server will recognize * Default Value - blank (the ID associated with the Keyfactor certificate store will be used). From 0a7b3d3053fcadbb44922ff93e54d090f6152f7c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 14:53:50 +0000 Subject: [PATCH 029/108] Update generated README --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ec66f6a6..4c98d9a3 100644 --- a/README.md +++ b/README.md @@ -184,16 +184,16 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo }
-UseSudo (Applicable for Linux orchestrated servers only) +UseSudo (Applicable for Linux hosted certificate stores only) -* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. For Windows orchestrated servers, this setting has no effect. +* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. * Allowed values - Y/N * Default value - N
-DefaultSudoImpersonatedUser (Applicable for Linux orchestrated servers only) +DefaultSudoImpersonatedUser (Applicable for Linux hosted certificate stores only) * Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. * Allowed values - Any valid user id that the destination Linux server will recognize @@ -211,7 +211,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-UseNegotiateAuth (Applicable for Windows orchestrated servers only) +UseNegotiateAuth (Applicable for Windows hosted certificate stores only) * Determines if WinRM should use Negotiate (Y) when connecting to the remote server. * Allowed values - Y/N @@ -220,7 +220,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-SeparateUploadFilePath(Applicable for Linux managed servers only) +SeparateUploadFilePath(Applicable for Linux hosted certificate stores only) * Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). * Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. @@ -229,7 +229,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-FileTransferProtocol (Applicable for Linux orchestrated servers only) +FileTransferProtocol (Applicable for Linux hosted certificate stores only) * Determines the protocol to use when uploading/downloading files while processing a job. * Allowed values - SCP, SFTP or Both. If "Both" is entered, SCP will be attempted first, and if that does not work, SFTP will be tried. @@ -238,7 +238,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux managed servers only) +DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux hosted certificate stores only) * The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). * Allowed values - Any 3 digit value from 000-777. @@ -248,6 +248,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) + * When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. * Allowed values - Any valid user id that the destination Linux server will recognize * Default Value - blank (the ID associated with the Keyfactor certificate store will be used). From 031dd9656837a6396b51d43c1983549cb6db77a6 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 15:03:15 +0000 Subject: [PATCH 030/108] ab#55565 --- readme_source.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 812a9383..5b562e4b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -28,7 +28,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Prerequisites and Security Considerations
-For Linux orchestrated servers: +Certificate stores hosted on Linux servers: 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -49,7 +49,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
-For Windows orchestrated servers: +Certificate stores hosted on Windows servers: 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. From 7ba82a81b6d5b6393820cd211a296457c8b3b621 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 15:03:59 +0000 Subject: [PATCH 031/108] Update generated README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4c98d9a3..fc12bcaf 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b ## Prerequisites and Security Considerations
-For Linux orchestrated servers: +Certificate stores hosted on Linux servers: 1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: |Shell Command|Used For| @@ -150,7 +150,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
-For Windows orchestrated servers: +Certificate stores hosted on Windows servers: 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. From f3d358ccea1c53c84040248639b2ac3d71362f17 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 15:08:43 +0000 Subject: [PATCH 032/108] ab#55565 --- readme_source.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/readme_source.md b/readme_source.md index 5b562e4b..a3d0362b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -146,7 +146,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) +DefaultOwnerOnStoreCreation (Applicable for Linux hosted certificate stores only) * When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. * Allowed values - Any valid user id that the destination Linux server will recognize @@ -160,8 +160,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. -**Common Values:** -*Basic Tab:* +**Common Values:** + +
+Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **ShortName** - Required. See specific certificate store type instructions below. - **Custom Capability** - Unchecked @@ -172,17 +175,27 @@ When setting up the certificate store types you wish the Remote File Orchestrato - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - **Supports Entry Password** - Unchecked. -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - See specific certificate store type instructions below. - **Private Key Handling** - See specific certificate store type instructions below - **PFX Password Style** - Default -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. +
+ Entry Parameters Tab: - See specific certificate store type instructions below From 23aaea3c4f1b4d8d0c3eb705ee10200af9db143e Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 15:09:15 +0000 Subject: [PATCH 033/108] Update generated README --- README.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index fc12bcaf..4eb6ba24 100644 --- a/README.md +++ b/README.md @@ -247,7 +247,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-DefaultOwnerOnStoreCreation (Applicable for Linux managed servers only) +DefaultOwnerOnStoreCreation (Applicable for Linux hosted certificate stores only) * When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. * Allowed values - Any valid user id that the destination Linux server will recognize @@ -261,8 +261,11 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. -**Common Values:** -*Basic Tab:* +**Common Values:** + +
+Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **ShortName** - Required. See specific certificate store type instructions below. - **Custom Capability** - Unchecked @@ -273,17 +276,27 @@ When setting up the certificate store types you wish the Remote File Orchestrato - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - **Supports Entry Password** - Unchecked. -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - See specific certificate store type instructions below. - **Private Key Handling** - See specific certificate store type instructions below - **PFX Password Style** - Default -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. +
+ Entry Parameters Tab: - See specific certificate store type instructions below From 756a727553cf95bbb1044db73a630c5368591a02 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 16:37:32 +0000 Subject: [PATCH 034/108] ab#55565 --- readme_source.md | 64 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/readme_source.md b/readme_source.md index a3d0362b..ef75de70 100644 --- a/readme_source.md +++ b/readme_source.md @@ -160,7 +160,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. -**Common Values:** +**Common Store Type Settings for all Types:**
Basic Tab: @@ -196,14 +196,15 @@ When setting up the certificate store types you wish the Remote File Orchestrato
-Entry Parameters Tab: -- See specific certificate store type instructions below +
+Entry Parameters Tab: + +- See specific certificate store type instructions below + +
  -  -************************************** **RFPkcs12 Certificate Store Type** -************************************** The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -213,24 +214,35 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters -  -  -************************************** +
+ **RFJKS Certificate Store Type** -************************************** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -240,20 +252,34 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+Entry Parameters Tab: + - no additional entry parameters -  +
+   ************************************** **RFPEM Certificate Store Type** From cffec6facff79f5095f84977c3e25f5951a18b66 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 16:38:12 +0000 Subject: [PATCH 035/108] Update generated README --- README.md | 64 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 4eb6ba24..f405aae6 100644 --- a/README.md +++ b/README.md @@ -261,7 +261,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. -**Common Values:** +**Common Store Type Settings for all Types:**
Basic Tab: @@ -297,14 +297,15 @@ When setting up the certificate store types you wish the Remote File Orchestrato
-Entry Parameters Tab: -- See specific certificate store type instructions below +
+Entry Parameters Tab: + +- See specific certificate store type instructions below + +
  -  -************************************** **RFPkcs12 Certificate Store Type** -************************************** The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -314,24 +315,35 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters -  -  -************************************** +
+ **RFJKS Certificate Store Type** -************************************** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -341,20 +353,34 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+Entry Parameters Tab: + - no additional entry parameters -  +
+   ************************************** **RFPEM Certificate Store Type** From fae8e483a2186847811355a5c5beea5c31b0e5a5 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:00:55 +0000 Subject: [PATCH 036/108] ab#55565 --- readme_source.md | 124 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 91 insertions(+), 33 deletions(-) diff --git a/readme_source.md b/readme_source.md index ef75de70..aa66e083 100644 --- a/readme_source.md +++ b/readme_source.md @@ -154,7 +154,6 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-    ## Certificate Store Types @@ -228,6 +227,8 @@ Use cases supported: - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. +
+
Custom Fields Tab: @@ -273,6 +274,8 @@ Use cases supported: - no adittional custom fields/parameters +
+
Entry Parameters Tab: @@ -281,9 +284,7 @@ Use cases supported:
  -************************************** **RFPEM Certificate Store Type** -************************************** The RFPEM store type can be used to manage PEM encoded files. @@ -294,29 +295,42 @@ Use cases supported: 4. Single certificate stores with private key in an external file. 5. Single certificate stores with certificate chain in the file and private key in an external file -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +Advanced Tab: + - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. - **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. - **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFDER Certificate Store Type** -************************************** The RFDER store type can be used to manage DER encoded files. @@ -324,25 +338,39 @@ Use cases supported: 1. Single certificate stores with private key in an external file. 5. Single certificate stores with no private key. -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFKDB Certificate Store Type** -************************************** The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -351,25 +379,39 @@ Use cases supported: 2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. 3. A mix of trust and key entries. -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFORA Certificate Store Type** -************************************** The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -379,20 +421,36 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- **Private Key Handling** - Optional. + +
-*Custom Fields Tab:* +
+Custom Fields Tab: + - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters -  +
+   ## Creating Certificate Stores and Scheduling Discovery Jobs From 7d81108f9240fabf8305123a00c8552332fe8169 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:01:39 +0000 Subject: [PATCH 037/108] Update generated README --- README.md | 124 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 91 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index f405aae6..a994be8b 100644 --- a/README.md +++ b/README.md @@ -255,7 +255,6 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-    ## Certificate Store Types @@ -329,6 +328,8 @@ Use cases supported: - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. +
+
Custom Fields Tab: @@ -374,6 +375,8 @@ Use cases supported: - no adittional custom fields/parameters +
+
Entry Parameters Tab: @@ -382,9 +385,7 @@ Use cases supported:
  -************************************** **RFPEM Certificate Store Type** -************************************** The RFPEM store type can be used to manage PEM encoded files. @@ -395,29 +396,42 @@ Use cases supported: 4. Single certificate stores with private key in an external file. 5. Single certificate stores with certificate chain in the file and private key in an external file -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +Advanced Tab: + - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. - **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. - **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFDER Certificate Store Type** -************************************** The RFDER store type can be used to manage DER encoded files. @@ -425,25 +439,39 @@ Use cases supported: 1. Single certificate stores with private key in an external file. 5. Single certificate stores with no private key. -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFKDB Certificate Store Type** -************************************** The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -452,25 +480,39 @@ Use cases supported: 2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. 3. A mix of trust and key entries. -**Specific Certificate Store Type Values** -*Basic Tab:* +**Specific Certificate Store Type Values** + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. -*Custom Fields Tab:* +
+ +
+Custom Fields Tab: + - no adittional custom fields/parameters -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters +
+   -  -************************************** **RFORA Certificate Store Type** -************************************** The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -480,20 +522,36 @@ Use cases supported: 3. A mix of trust and key entries. **Specific Certificate Store Type Values** -*Basic Tab:* + +
+Basic Tab: + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -*Advanced Tab:* +
+ +
+Advanced Tab: + - **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- **Private Key Handling** - Optional. + +
-*Custom Fields Tab:* +
+Custom Fields Tab: + - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. -Entry Parameters Tab: +
+ +
+Entry Parameters Tab: + - no additional entry parameters -  +
+   ## Creating Certificate Stores and Scheduling Discovery Jobs From 73c27abf5620693cba71f0eb64d9e2ec4a313dff Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:13:22 +0000 Subject: [PATCH 038/108] ab#55565 --- readme_source.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index aa66e083..dfb1f2db 100644 --- a/readme_source.md +++ b/readme_source.md @@ -53,7 +53,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -  + +
  ## Remote File Orchestrator Extension Installation 1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. @@ -157,7 +158,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo   ## Certificate Store Types -When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. +Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. **Common Store Type Settings for all Types:** From 7d3a8b6ecd4b9d7e17646d01197d39fc2b1497d6 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:13:57 +0000 Subject: [PATCH 039/108] Update generated README --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a994be8b..4ac88e76 100644 --- a/README.md +++ b/README.md @@ -154,7 +154,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b 1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -  + +
  ## Remote File Orchestrator Extension Installation 1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. @@ -258,7 +259,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo   ## Certificate Store Types -When setting up the certificate store types you wish the Remote File Orchestrator Extension to manage, there are some common settings that will be the same for all supported types. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Alternatively, there are CURL scripts for all of the currently implemented certificate store types in the Certificate Store Type CURL Scripts folder in this repo if you wish to automate the creation of the desired store types. +Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. **Common Store Type Settings for all Types:** From ce72d8262c52c2364fcee7f59806557ed6685618 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:17:07 +0000 Subject: [PATCH 040/108] ab#55565 --- readme_source.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index dfb1f2db..b82d5a42 100644 --- a/readme_source.md +++ b/readme_source.md @@ -54,7 +54,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -
+
+   ## Remote File Orchestrator Extension Installation 1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. From 974998f4b62a1435ea28b2bd23d96266f299b6c4 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:17:42 +0000 Subject: [PATCH 041/108] Update generated README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ac88e76..f8239bcc 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -
+
+   ## Remote File Orchestrator Extension Installation 1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. From 6d03c9abb486d6c95a9f21160b4df666363dd74c Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:20:37 +0000 Subject: [PATCH 042/108] ab#55565 --- readme_source.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readme_source.md b/readme_source.md index b82d5a42..cb4ffc71 100644 --- a/readme_source.md +++ b/readme_source.md @@ -306,6 +306,8 @@ Use cases supported:
+
+ Advanced Tab: - **Supports Custom Alias** - Forbidden. From 0751819e5771fb07a6b2e733b6305942ccabc933 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:21:12 +0000 Subject: [PATCH 043/108] Update generated README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f8239bcc..16b0d263 100644 --- a/README.md +++ b/README.md @@ -407,6 +407,8 @@ Use cases supported:
+
+ Advanced Tab: - **Supports Custom Alias** - Forbidden. From 6c7ccf6b8226ce6df37206f2f4d2190b16f5b47e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:24:40 +0000 Subject: [PATCH 044/108] ab#55565 --- readme_source.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index cb4ffc71..a8c92cbf 100644 --- a/readme_source.md +++ b/readme_source.md @@ -244,7 +244,8 @@ Use cases supported: - no additional entry parameters
- + +  **RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. From 7808bea61aa9201fc57e6a96470c44b61fa06614 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:25:13 +0000 Subject: [PATCH 045/108] Update generated README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 16b0d263..bc70d797 100644 --- a/README.md +++ b/README.md @@ -345,7 +345,8 @@ Use cases supported: - no additional entry parameters
- + +  **RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. From 48fa2dca3ed74f0d45578d0b54d7484d7dfbb63b Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 17:25:48 +0000 Subject: [PATCH 046/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index a8c92cbf..bd532c49 100644 --- a/readme_source.md +++ b/readme_source.md @@ -245,7 +245,7 @@ Use cases supported: -  +  **RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. From a7bbf9564b64afd9b1a46d29a5f513922920fbb6 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 17:26:28 +0000 Subject: [PATCH 047/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bc70d797..2ab9a406 100644 --- a/README.md +++ b/README.md @@ -346,7 +346,7 @@ Use cases supported: -  +  **RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. From c4d729accd6f839433fe2b45909549e1ca2c3dd7 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 19:59:04 +0000 Subject: [PATCH 048/108] ab#55565 --- readme_source.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index bd532c49..7f8a8a47 100644 --- a/readme_source.md +++ b/readme_source.md @@ -161,7 +161,9 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. -**Common Store Type Settings for all Types:** +Common Store Type Settings for all Types: + +
Basic Tab: @@ -204,6 +206,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
+
+   **RFPkcs12 Certificate Store Type** From 07ba18191ccf85ac56c4434055b1c0922d9f46cd Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 19:59:40 +0000 Subject: [PATCH 049/108] Update generated README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ab9a406..535f2ae5 100644 --- a/README.md +++ b/README.md @@ -262,7 +262,9 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. -**Common Store Type Settings for all Types:** +Common Store Type Settings for all Types: + +
Basic Tab: @@ -305,6 +307,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
+
+   **RFPkcs12 Certificate Store Type** From 42f90d97d368531702d90a3c544b5e3d01a06372 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 20:02:15 +0000 Subject: [PATCH 050/108] ab#55565 --- readme_source.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 7f8a8a47..a03ca7b5 100644 --- a/readme_source.md +++ b/readme_source.md @@ -161,9 +161,8 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. -Common Store Type Settings for all Types: -
+Common Store Type Settings for all Types:
Basic Tab: From 5b4b3828152ad75317c6b58ceee60bbe0b27ef62 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 20:02:49 +0000 Subject: [PATCH 051/108] Update generated README --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 535f2ae5..28a54d4a 100644 --- a/README.md +++ b/README.md @@ -262,9 +262,8 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. -Common Store Type Settings for all Types: -
+Common Store Type Settings for all Types:
Basic Tab: From 6f05af579480fc1fc2385e3cae8ee937d2e53c8b Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 20:04:43 +0000 Subject: [PATCH 052/108] ab#55565 --- readme_source.md | 58 ++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/readme_source.md b/readme_source.md index a03ca7b5..e70b19ed 100644 --- a/readme_source.md +++ b/readme_source.md @@ -164,46 +164,46 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
-Basic Tab: +
+ Basic Tab: -- **Name** – Required. The display name you wish to use for the new Certificate Store Type. -- **ShortName** - Required. See specific certificate store type instructions below. -- **Custom Capability** - Unchecked -- **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. -- **Needs Server** - Checked -- **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. -- **Uses PowerShell** - Unchecked -- **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. -- **Supports Entry Password** - Unchecked. + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. -
+
-
-Advanced Tab: +
+ Advanced Tab: -- **Store Path Type** - Freeform -- **Supports Custom Alias** - See specific certificate store type instructions below. -- **Private Key Handling** - See specific certificate store type instructions below -- **PFX Password Style** - Default + - **Store Path Type** - Freeform + - **Supports Custom Alias** - See specific certificate store type instructions below. + - **Private Key Handling** - See specific certificate store type instructions below + - **PFX Password Style** - Default -
+
-
-Custom Fields Tab: +
+ Custom Fields Tab: -- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". -- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. -- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+
-
-Entry Parameters Tab: +
+ Entry Parameters Tab: -- See specific certificate store type instructions below + - See specific certificate store type instructions below -
+
From de5b2078d4f6076dae3a3f7f4a00da21b70eb4b4 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 20:05:19 +0000 Subject: [PATCH 053/108] Update generated README --- README.md | 58 +++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 28a54d4a..7de9f609 100644 --- a/README.md +++ b/README.md @@ -265,46 +265,46 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
-Basic Tab: +
+ Basic Tab: -- **Name** – Required. The display name you wish to use for the new Certificate Store Type. -- **ShortName** - Required. See specific certificate store type instructions below. -- **Custom Capability** - Unchecked -- **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. -- **Needs Server** - Checked -- **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. -- **Uses PowerShell** - Unchecked -- **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. -- **Supports Entry Password** - Unchecked. + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. -
+
-
-Advanced Tab: +
+ Advanced Tab: -- **Store Path Type** - Freeform -- **Supports Custom Alias** - See specific certificate store type instructions below. -- **Private Key Handling** - See specific certificate store type instructions below -- **PFX Password Style** - Default + - **Store Path Type** - Freeform + - **Supports Custom Alias** - See specific certificate store type instructions below. + - **Private Key Handling** - See specific certificate store type instructions below + - **PFX Password Style** - Default -
+
-
-Custom Fields Tab: +
+ Custom Fields Tab: -- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". -- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. -- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+
-
-Entry Parameters Tab: +
+ Entry Parameters Tab: -- See specific certificate store type instructions below + - See specific certificate store type instructions below -
+
From ba154c796c379a9263d5fc4cf46432a39df10c47 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Mon, 22 Apr 2024 20:20:22 +0000 Subject: [PATCH 054/108] ab#55565 --- readme_source.md | 58 ++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/readme_source.md b/readme_source.md index e70b19ed..6011ac9a 100644 --- a/readme_source.md +++ b/readme_source.md @@ -164,46 +164,46 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
- Basic Tab: +
+ Basic Tab: - - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. - - **Custom Capability** - Unchecked - - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - - **Needs Server** - Checked - - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. - - **Uses PowerShell** - Unchecked - - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - - **Supports Entry Password** - Unchecked. + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. -
+
-
- Advanced Tab: +
+Advanced Tab: - - **Store Path Type** - Freeform - - **Supports Custom Alias** - See specific certificate store type instructions below. - - **Private Key Handling** - See specific certificate store type instructions below - - **PFX Password Style** - Default +- **Store Path Type** - Freeform +- **Supports Custom Alias** - See specific certificate store type instructions below. +- **Private Key Handling** - See specific certificate store type instructions below +- **PFX Password Style** - Default -
+
-
- Custom Fields Tab: +
+Custom Fields Tab: - - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. +- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". +- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. +- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+
-
- Entry Parameters Tab: +
+Entry Parameters Tab: - - See specific certificate store type instructions below +- See specific certificate store type instructions below -
+
From 7ac97970862065d631c83a409fb8578075c14e93 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 22 Apr 2024 20:21:02 +0000 Subject: [PATCH 055/108] Update generated README --- README.md | 58 +++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 7de9f609..a433ddc8 100644 --- a/README.md +++ b/README.md @@ -265,46 +265,46 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
- Basic Tab: +
+ Basic Tab: - - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. - - **Custom Capability** - Unchecked - - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - - **Needs Server** - Checked - - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. - - **Uses PowerShell** - Unchecked - - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - - **Supports Entry Password** - Unchecked. + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. -
+
-
- Advanced Tab: +
+Advanced Tab: - - **Store Path Type** - Freeform - - **Supports Custom Alias** - See specific certificate store type instructions below. - - **Private Key Handling** - See specific certificate store type instructions below - - **PFX Password Style** - Default +- **Store Path Type** - Freeform +- **Supports Custom Alias** - See specific certificate store type instructions below. +- **Private Key Handling** - See specific certificate store type instructions below +- **PFX Password Style** - Default -
+
-
- Custom Fields Tab: +
+Custom Fields Tab: - - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". - - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. +- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". +- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. +- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+
-
- Entry Parameters Tab: +
+Entry Parameters Tab: - - See specific certificate store type instructions below +- See specific certificate store type instructions below -
+
From c3af3133039f4baea52594f8addd464f976dd5a6 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 13:48:39 +0000 Subject: [PATCH 056/108] ab#55565 --- readme_source.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/readme_source.md b/readme_source.md index 6011ac9a..736eb7fe 100644 --- a/readme_source.md +++ b/readme_source.md @@ -164,20 +164,17 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
- Basic Tab: - - - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. - - **Custom Capability** - Unchecked - - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - - **Needs Server** - Checked - - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. - - **Uses PowerShell** - Unchecked - - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - - **Supports Entry Password** - Unchecked. - -
+- Basic Tab: + + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked.
Advanced Tab: From 399d697cc7f68bb888c8a0566b0af2271640e16c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 13:49:17 +0000 Subject: [PATCH 057/108] Update generated README --- README.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a433ddc8..e951c077 100644 --- a/README.md +++ b/README.md @@ -265,20 +265,17 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -
- Basic Tab: - - - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. - - **Custom Capability** - Unchecked - - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - - **Needs Server** - Checked - - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. - - **Uses PowerShell** - Unchecked - - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - - **Supports Entry Password** - Unchecked. - -
+- Basic Tab: + + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. + - **ShortName** - Required. See specific certificate store type instructions below. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked.
Advanced Tab: From e256f4fa913213eac32a0e1cbce0eda70aa16aa2 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 14:04:01 +0000 Subject: [PATCH 058/108] ab#55565 --- readme_source.md | 234 ++++++++++++++++++----------------------------- 1 file changed, 88 insertions(+), 146 deletions(-) diff --git a/readme_source.md b/readme_source.md index 736eb7fe..79b5bcff 100644 --- a/readme_source.md +++ b/readme_source.md @@ -164,7 +164,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -- Basic Tab: +- Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **ShortName** - Required. See specific certificate store type instructions below. @@ -176,36 +176,29 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - **Supports Entry Password** - Unchecked. -
-Advanced Tab: - -- **Store Path Type** - Freeform -- **Supports Custom Alias** - See specific certificate store type instructions below. -- **Private Key Handling** - See specific certificate store type instructions below -- **PFX Password Style** - Default +- Advanced Tab: -
+ - **Store Path Type** - Freeform + - **Supports Custom Alias** - See specific certificate store type instructions below. + - **Private Key Handling** - See specific certificate store type instructions below + - **PFX Password Style** - Default -
-Custom Fields Tab: +- Custom Fields Tab: -- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". -- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. -- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+*Entry Parameters Tab: -
-Entry Parameters Tab: - -- See specific certificate store type instructions below + - See specific certificate store type instructions below
-
+  -  -**RFPkcs12 Certificate Store Type** +
+**RFPkcs12 Certificate Store Type** The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -216,37 +209,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
- -
-Advanced Tab: +- Basic Tab: -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Custom Fields Tab: + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -- no adittional custom fields/parameters +- Custom Fields Tab: -
+ - no adittional custom fields/parameters -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFJKS Certificate Store Type** + +
+**RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -257,37 +242,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
+- Basic Tab: -
-Advanced Tab: + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- Advanced Tab: -
+ - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
-Custom Fields Tab: +- Custom Fields Tab: -- no adittional custom fields/parameters - -
+ - no adittional custom fields/parameters -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFPEM Certificate Store Type** + +
+**RFPEM Certificate Store Type** The RFPEM store type can be used to manage PEM encoded files. @@ -300,42 +277,33 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
- -
- -Advanced Tab: +- Basic Tab: -- **Supports Custom Alias** - Forbidden. -- **Private Key Handling** - Optional. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Custom Fields Tab: + - **Supports Custom Alias** - Forbidden. + - **Private Key Handling** - Optional. -- **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. -- **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. -- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. -- **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. -- **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. +- Custom Fields Tab: -
+ - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. + - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. + - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. + - **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. + - **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFDER Certificate Store Type** + +
+**RFDER Certificate Store Type** The RFDER store type can be used to manage DER encoded files. @@ -345,37 +313,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: +- Basic Tab: -- **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Advanced Tab: + - **Supports Custom Alias** - Forbidden. + - **Private Key Handling** - Optional. -- **Supports Custom Alias** - Forbidden. -- **Private Key Handling** - Optional. +- Custom Fields Tab: -
+ - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. -
-Custom Fields Tab: - -- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. - -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFKDB Certificate Store Type** + +
+**RFKDB Certificate Store Type** The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -386,37 +346,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: +- Basic Tab: -- **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Advanced Tab: - -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
- -
-Custom Fields Tab: +- Custom Fields Tab: -- no adittional custom fields/parameters + - no adittional custom fields/parameters -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFORA Certificate Store Type** + +
+**RFORA Certificate Store Type** The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -427,32 +379,22 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). +- Basic Tab: -
- -
-Advanced Tab: + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- Advanced Tab: -
+ - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
-Custom Fields Tab: +- Custom Fields Tab: -- **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. + - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
From f371e656c81eae18660f829afd77f3c7a8023613 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 14:04:40 +0000 Subject: [PATCH 059/108] Update generated README --- README.md | 234 ++++++++++++++++++++---------------------------------- 1 file changed, 88 insertions(+), 146 deletions(-) diff --git a/README.md b/README.md index e951c077..c4f2799b 100644 --- a/README.md +++ b/README.md @@ -265,7 +265,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
Common Store Type Settings for all Types: -- Basic Tab: +- Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **ShortName** - Required. See specific certificate store type instructions below. @@ -277,36 +277,29 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. - **Supports Entry Password** - Unchecked. -
-Advanced Tab: - -- **Store Path Type** - Freeform -- **Supports Custom Alias** - See specific certificate store type instructions below. -- **Private Key Handling** - See specific certificate store type instructions below -- **PFX Password Style** - Default +- Advanced Tab: -
+ - **Store Path Type** - Freeform + - **Supports Custom Alias** - See specific certificate store type instructions below. + - **Private Key Handling** - See specific certificate store type instructions below + - **PFX Password Style** - Default -
-Custom Fields Tab: +- Custom Fields Tab: -- **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". -- **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. -- **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -
+*Entry Parameters Tab: -
-Entry Parameters Tab: - -- See specific certificate store type instructions below + - See specific certificate store type instructions below
-
+  -  -**RFPkcs12 Certificate Store Type** +
+**RFPkcs12 Certificate Store Type** The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -317,37 +310,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
- -
-Advanced Tab: +- Basic Tab: -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Custom Fields Tab: + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -- no adittional custom fields/parameters +- Custom Fields Tab: -
+ - no adittional custom fields/parameters -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFJKS Certificate Store Type** + +
+**RFJKS Certificate Store Type** The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -358,37 +343,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
+- Basic Tab: -
-Advanced Tab: + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- Advanced Tab: -
+ - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
-Custom Fields Tab: +- Custom Fields Tab: -- no adittional custom fields/parameters - -
+ - no adittional custom fields/parameters -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFPEM Certificate Store Type** + +
+**RFPEM Certificate Store Type** The RFPEM store type can be used to manage PEM encoded files. @@ -401,42 +378,33 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). - -
- -
- -Advanced Tab: +- Basic Tab: -- **Supports Custom Alias** - Forbidden. -- **Private Key Handling** - Optional. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Custom Fields Tab: + - **Supports Custom Alias** - Forbidden. + - **Private Key Handling** - Optional. -- **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. -- **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. -- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. -- **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. -- **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. +- Custom Fields Tab: -
+ - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. + - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. + - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. + - **Name:** IsRSAPrivateKey, **Display Name:** Is RSA Private Key, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' it will be assumed that the private key for the certificate is a PKCS#1 RSA formatted private key (BEGIN RSA PRIVATE KEY). If 'false' (default), encrypted/non-encrypted PKCS#8 (BEGIN [ENCRYPTED] PRIVATE KEY) is assumed If set to 'true' the store password **must** be set to "no password", as PKCS#1 does not support encrypted keys. This setting is only valid when IsTrustStore = false. + - **Name:** IgnorePrivateKeyOnInventory, **Display Name:** Ignore Private Key On Inventory, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', inventory for this certificate store will be performed without accessing the certificate's private key or the store password. This will functionally make the store INVENTORY ONLY, as all certificates will be returned with "Private Key Entry" = false. Also, no certificate chain relationships will be maintained, and all certificates will be considered separate entries (basically a trust store). This may be useful in situations where the client does not know the store password at inventory run time, but would still like the certificates to be imported into Keyfactor Command. Once the correct store password is entered for the store, the client may de-select this option (change the value to False), schedule an inventory job, and then the appropriate private key entry and chain information should be properly stored in the Keyfactor Command location, allowing for renewal/removal of the certificate at a later time. -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFDER Certificate Store Type** + +
+**RFDER Certificate Store Type** The RFDER store type can be used to manage DER encoded files. @@ -446,37 +414,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: +- Basic Tab: -- **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Advanced Tab: + - **Supports Custom Alias** - Forbidden. + - **Private Key Handling** - Optional. -- **Supports Custom Alias** - Forbidden. -- **Private Key Handling** - Optional. +- Custom Fields Tab: -
+ - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. -
-Custom Fields Tab: - -- **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. - -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFKDB Certificate Store Type** + +
+**RFKDB Certificate Store Type** The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -487,37 +447,29 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: +- Basic Tab: -- **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -
+- Advanced Tab: -
-Advanced Tab: - -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
- -
-Custom Fields Tab: +- Custom Fields Tab: -- no adittional custom fields/parameters + - no adittional custom fields/parameters -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
  -**RFORA Certificate Store Type** + +
+**RFORA Certificate Store Type** The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -528,32 +480,22 @@ Use cases supported: **Specific Certificate Store Type Values** -
-Basic Tab: - -- **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). +- Basic Tab: -
- -
-Advanced Tab: + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). -- **Supports Custom Alias** - Required. -- **Private Key Handling** - Optional. +- Advanced Tab: -
+ - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. -
-Custom Fields Tab: +- Custom Fields Tab: -- **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. + - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. -
- -
-Entry Parameters Tab: +- Entry Parameters Tab: -- no additional entry parameters + - no additional entry parameters
From 69a125364f46f63b3581068eb7cc88e5eaa1eb66 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 14:07:37 +0000 Subject: [PATCH 060/108] ab#55565 --- readme_source.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/readme_source.md b/readme_source.md index 79b5bcff..adcc7d2c 100644 --- a/readme_source.md +++ b/readme_source.md @@ -195,10 +195,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-  -
-**RFPkcs12 Certificate Store Type** +RFPkcs12 Certificate Store Type The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -228,10 +226,8 @@ Use cases supported:
-  -
-**RFJKS Certificate Store Type** +RFJKS Certificate Store Type The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -261,8 +257,6 @@ Use cases supported:
-  -
**RFPEM Certificate Store Type** @@ -303,7 +297,7 @@ Use cases supported:  
-**RFDER Certificate Store Type** +RFDER Certificate Store Type The RFDER store type can be used to manage DER encoded files. @@ -332,10 +326,8 @@ Use cases supported:
-  -
-**RFKDB Certificate Store Type** +RFKDB Certificate Store Type The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -365,10 +357,8 @@ Use cases supported:
-  -
-**RFORA Certificate Store Type** +RFORA Certificate Store Type The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. From d0759d9b695d6f29a659067df65cebb13d593ff8 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 14:08:18 +0000 Subject: [PATCH 061/108] Update generated README --- README.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index c4f2799b..96cf812f 100644 --- a/README.md +++ b/README.md @@ -296,10 +296,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-  -
-**RFPkcs12 Certificate Store Type** +RFPkcs12 Certificate Store Type The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -329,10 +327,8 @@ Use cases supported:
-  -
-**RFJKS Certificate Store Type** +RFJKS Certificate Store Type The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -362,8 +358,6 @@ Use cases supported:
-  -
**RFPEM Certificate Store Type** @@ -404,7 +398,7 @@ Use cases supported:  
-**RFDER Certificate Store Type** +RFDER Certificate Store Type The RFDER store type can be used to manage DER encoded files. @@ -433,10 +427,8 @@ Use cases supported:
-  -
-**RFKDB Certificate Store Type** +RFKDB Certificate Store Type The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -466,10 +458,8 @@ Use cases supported:
-  -
-**RFORA Certificate Store Type** +RFORA Certificate Store Type The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. From 6114dd42f5c0445f4601a34ef541e262a347ab1a Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 14:09:19 +0000 Subject: [PATCH 062/108] ab#55565 --- readme_source.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index adcc7d2c..d5df477f 100644 --- a/readme_source.md +++ b/readme_source.md @@ -258,7 +258,7 @@ Use cases supported:
-**RFPEM Certificate Store Type** +RFPEM Certificate Store Type The RFPEM store type can be used to manage PEM encoded files. @@ -294,8 +294,6 @@ Use cases supported:
-  -
RFDER Certificate Store Type From aa2983bd3b8cb56a702b27cf266b3a34f80e900d Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 14:09:56 +0000 Subject: [PATCH 063/108] Update generated README --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 96cf812f..1d82d4b1 100644 --- a/README.md +++ b/README.md @@ -359,7 +359,7 @@ Use cases supported:
-**RFPEM Certificate Store Type** +RFPEM Certificate Store Type The RFPEM store type can be used to manage PEM encoded files. @@ -395,8 +395,6 @@ Use cases supported:
-  -
RFDER Certificate Store Type From 17d1385ad1ed0f2b2403ade71ef581f07ba1fb83 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 14:12:29 +0000 Subject: [PATCH 064/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index d5df477f..bd3ad92a 100644 --- a/readme_source.md +++ b/readme_source.md @@ -189,7 +189,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -*Entry Parameters Tab: +- Entry Parameters Tab: - See specific certificate store type instructions below From 5e017888fe775e1e9752a1721d4960cddf68d4a6 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 14:13:05 +0000 Subject: [PATCH 065/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d82d4b1..e79173dd 100644 --- a/README.md +++ b/README.md @@ -290,7 +290,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -*Entry Parameters Tab: +- Entry Parameters Tab: - See specific certificate store type instructions below From 9246305dcf4a99d8f34744b2114e83a0a317e240 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 15:16:43 +0000 Subject: [PATCH 066/108] ab#55565 --- readme_source.md | 139 +++++++++++++++++++++++++---------------------- 1 file changed, 75 insertions(+), 64 deletions(-) diff --git a/readme_source.md b/readme_source.md index bd3ad92a..904ef7f7 100644 --- a/readme_source.md +++ b/readme_source.md @@ -1,22 +1,88 @@  ## Overview The Remote File Orchestrator Extension is a multi-purpose integration that can remotely manage a variety of file-based certificate stores and can easily be extended to manage others. The certificate store types that can be managed in the current version are: -- Java Keystores of type JKS -- PKCS12 files, including, but not limited to, Java keystores of type PKCS12 -- PEM formatted files -- DER formatted files -- IBM Key Database files (KDB) -- Oracle Wallet Pkcs12 files + +
+RFPkcs12 + +The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFJKS + +The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFPEM + +The RFPEM store type can be used to manage PEM encoded files. + +Use cases supported: +1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains). +2. Single certificate stores with private key in the file. +3. Single certificate stores with certificate chain and private key in the file. +4. Single certificate stores with private key in an external file. +5. Single certificate stores with certificate chain in the file and private key in an external file + +
+ +
+ +RFDER + +The RFDER store type can be used to manage DER encoded files. + +Use cases supported: +1. Single certificate stores with private key in an external file. +2. Single certificate stores with no private key. + +
+ +
+RFKDB + +The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFORA + +The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
While the Keyfactor Universal Orchestrator (UO) can be installed on either Windows or Linux; likewise, the Remote File Orchestrator Extension can be used to manage certificate stores residing on both Windows and Linux servers. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ | | +|Orchestrated Server on remote Windows server|✓ |✓ | |Orchestrated Server on remote Linux server|✓ |✓ | |Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | - -This orchestrator extension makes use of an SSH connection to communicate remotely with certificate stores hosted on Linux servers and WinRM to communicate with certificate stores hosted on Windows servers.     ## Versioning @@ -198,15 +264,6 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
RFPkcs12 Certificate Store Type -The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -229,15 +286,6 @@ Use cases supported:
RFJKS Certificate Store Type -The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -260,17 +308,6 @@ Use cases supported:
RFPEM Certificate Store Type -The RFPEM store type can be used to manage PEM encoded files. - -Use cases supported: -1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains). -2. Single certificate stores with private key in the file. -3. Single certificate stores with certificate chain and private key in the file. -4. Single certificate stores with private key in an external file. -5. Single certificate stores with certificate chain in the file and private key in an external file - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -297,14 +334,6 @@ Use cases supported:
RFDER Certificate Store Type -The RFDER store type can be used to manage DER encoded files. - -Use cases supported: -1. Single certificate stores with private key in an external file. -5. Single certificate stores with no private key. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -327,15 +356,6 @@ Use cases supported:
RFKDB Certificate Store Type -The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -358,15 +378,6 @@ Use cases supported:
RFORA Certificate Store Type -The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). From e1425f717189db50e024511d09045429526e0f54 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 15:17:22 +0000 Subject: [PATCH 067/108] Update generated README --- README.md | 139 +++++++++++++++++++++++++++++------------------------- 1 file changed, 75 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index e79173dd..c395ec02 100644 --- a/README.md +++ b/README.md @@ -102,22 +102,88 @@ This text would be entered in as the value for the __Server Password__, instead  ## Overview The Remote File Orchestrator Extension is a multi-purpose integration that can remotely manage a variety of file-based certificate stores and can easily be extended to manage others. The certificate store types that can be managed in the current version are: -- Java Keystores of type JKS -- PKCS12 files, including, but not limited to, Java keystores of type PKCS12 -- PEM formatted files -- DER formatted files -- IBM Key Database files (KDB) -- Oracle Wallet Pkcs12 files + +
+RFPkcs12 + +The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFJKS + +The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFPEM + +The RFPEM store type can be used to manage PEM encoded files. + +Use cases supported: +1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains). +2. Single certificate stores with private key in the file. +3. Single certificate stores with certificate chain and private key in the file. +4. Single certificate stores with private key in an external file. +5. Single certificate stores with certificate chain in the file and private key in an external file + +
+ +
+ +RFDER + +The RFDER store type can be used to manage DER encoded files. + +Use cases supported: +1. Single certificate stores with private key in an external file. +2. Single certificate stores with no private key. + +
+ +
+RFKDB + +The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
+ +
+RFORA + +The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. + +Use cases supported: +1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +3. A mix of trust and key entries. + +
While the Keyfactor Universal Orchestrator (UO) can be installed on either Windows or Linux; likewise, the Remote File Orchestrator Extension can be used to manage certificate stores residing on both Windows and Linux servers. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ | | +|Orchestrated Server on remote Windows server|✓ |✓ | |Orchestrated Server on remote Linux server|✓ |✓ | |Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | - -This orchestrator extension makes use of an SSH connection to communicate remotely with certificate stores hosted on Linux servers and WinRM to communicate with certificate stores hosted on Windows servers.     ## Versioning @@ -299,15 +365,6 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
RFPkcs12 Certificate Store Type -The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -330,15 +387,6 @@ Use cases supported:
RFJKS Certificate Store Type -The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -361,17 +409,6 @@ Use cases supported:
RFPEM Certificate Store Type -The RFPEM store type can be used to manage PEM encoded files. - -Use cases supported: -1. Trust stores - A file with one-to-many certificates (no private keys, no certificate chains). -2. Single certificate stores with private key in the file. -3. Single certificate stores with certificate chain and private key in the file. -4. Single certificate stores with private key in an external file. -5. Single certificate stores with certificate chain in the file and private key in an external file - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -398,14 +435,6 @@ Use cases supported:
RFDER Certificate Store Type -The RFDER store type can be used to manage DER encoded files. - -Use cases supported: -1. Single certificate stores with private key in an external file. -5. Single certificate stores with no private key. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -428,15 +457,6 @@ Use cases supported:
RFKDB Certificate Store Type -The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). @@ -459,15 +479,6 @@ Use cases supported:
RFORA Certificate Store Type -The RFORA store type can be used to manage Pkcs2 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. - -Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. -3. A mix of trust and key entries. - -**Specific Certificate Store Type Values** - - Basic Tab: - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). From f1da068e8b931762cc348bbe1be9c19f9ad19388 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 15:23:07 +0000 Subject: [PATCH 068/108] ab#55565 --- readme_source.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/readme_source.md b/readme_source.md index 904ef7f7..7b181bf2 100644 --- a/readme_source.md +++ b/readme_source.md @@ -3,7 +3,7 @@ The Remote File Orchestrator Extension is a multi-purpose integration that can remotely manage a variety of file-based certificate stores and can easily be extended to manage others. The certificate store types that can be managed in the current version are:
-RFPkcs12 +RFPkcs12 The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -15,7 +15,7 @@ Use cases supported:
-RFJKS +RFJKS The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -27,7 +27,7 @@ Use cases supported:
-RFPEM +RFPEM The RFPEM store type can be used to manage PEM encoded files. @@ -42,7 +42,7 @@ Use cases supported:
-RFDER +RFDER The RFDER store type can be used to manage DER encoded files. @@ -53,7 +53,7 @@ Use cases supported:
-RFKDB +RFKDB The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -65,7 +65,7 @@ Use cases supported:
-RFORA +RFORA The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. From 18b9828c0339ef53d1cfd9eaf76d400349dfcf61 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 15:23:42 +0000 Subject: [PATCH 069/108] Update generated README --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c395ec02..9684186d 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ This text would be entered in as the value for the __Server Password__, instead The Remote File Orchestrator Extension is a multi-purpose integration that can remotely manage a variety of file-based certificate stores and can easily be extended to manage others. The certificate store types that can be managed in the current version are:
-RFPkcs12 +RFPkcs12 The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -116,7 +116,7 @@ Use cases supported:
-RFJKS +RFJKS The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. @@ -128,7 +128,7 @@ Use cases supported:
-RFPEM +RFPEM The RFPEM store type can be used to manage PEM encoded files. @@ -143,7 +143,7 @@ Use cases supported:
-RFDER +RFDER The RFDER store type can be used to manage DER encoded files. @@ -154,7 +154,7 @@ Use cases supported:
-RFKDB +RFKDB The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -166,7 +166,7 @@ Use cases supported:
-RFORA +RFORA The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. From 9ea7b558d8761d1b2179533c74b76ab8a5ed5fbb Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 17:58:30 +0000 Subject: [PATCH 070/108] ab#55565 --- readme_source.md | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/readme_source.md b/readme_source.md index 7b181bf2..b5fa1523 100644 --- a/readme_source.md +++ b/readme_source.md @@ -124,16 +124,17 @@ Please consult with your company's system administrator for more information on   ## Remote File Orchestrator Extension Installation -1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. -2. Stop the Keyfactor Universal Orchestrator Service for the orchestrator you plan to install this extension to run on. -3. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. -4. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. -5. Copy the contents of the download installation zip file to the folder created in Step 3. -6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. -7. Modify the config.json file (See the "Configuration File Setup" section later in this README) -8. Start the Keyfactor Universal Orchestrator Service. -
+1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. +2. Refer to the [Certificate Store Types](#certificate-store-types) section to create the certificate store types you wish to manage. +3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. +4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. +5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. +6. Copy the contents of the download installation zip file to the folder created in step 4. +7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. +8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup] to learn more. +9. Start the Keyfactor Universal Orchestrator Service. +
  ## Configuration File Setup @@ -266,7 +267,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -288,7 +289,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -310,7 +311,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -336,7 +337,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -358,7 +359,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -380,7 +381,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: From 5f82f7630376c8344ee80f3d99e9582a0e2c5e68 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 17:59:12 +0000 Subject: [PATCH 071/108] Update generated README --- README.md | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 9684186d..a3bfce78 100644 --- a/README.md +++ b/README.md @@ -225,16 +225,17 @@ Please consult with your company's system administrator for more information on   ## Remote File Orchestrator Extension Installation -1. Create the certificate store types you wish to manage. Please refer to the individual sections devoted to each supported store type under "Certificate Store Types" later in this README. -2. Stop the Keyfactor Universal Orchestrator Service for the orchestrator you plan to install this extension to run on. -3. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. -4. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. -5. Copy the contents of the download installation zip file to the folder created in Step 3. -6. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values (please see the individual certificate store type sections in "Certificate Store Types" later in this README for more information regarding certificate store types), edit the manifest.json file in the folder you created in step 3, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. If you created it with the suggested values, this step can be skipped. -7. Modify the config.json file (See the "Configuration File Setup" section later in this README) -8. Start the Keyfactor Universal Orchestrator Service. -
+1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. +2. Refer to the [Certificate Store Types](#certificate-store-types) section to create the certificate store types you wish to manage. +3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. +4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. +5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. +6. Copy the contents of the download installation zip file to the folder created in step 4. +7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. +8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup] to learn more. +9. Start the Keyfactor Universal Orchestrator Service. +
  ## Configuration File Setup @@ -367,7 +368,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -389,7 +390,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -411,7 +412,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -437,7 +438,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -459,7 +460,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: @@ -481,7 +482,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file (see "Remote File Orchestrator Extension Installation", step 6 above). + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - Advanced Tab: From 51c6ecbe0bb11f1b34fe643a4421526acc6123e9 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 18:21:47 +0000 Subject: [PATCH 072/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index b5fa1523..c323ccb1 100644 --- a/readme_source.md +++ b/readme_source.md @@ -131,7 +131,7 @@ Please consult with your company's system administrator for more information on 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. 6. Copy the contents of the download installation zip file to the folder created in step 4. 7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. -8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup] to learn more. +8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup) to learn more. 9. Start the Keyfactor Universal Orchestrator Service.
From 935698d3012787720a4934ed5eb4a76c428fdf5a Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 18:22:28 +0000 Subject: [PATCH 073/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a3bfce78..eae4cb46 100644 --- a/README.md +++ b/README.md @@ -232,7 +232,7 @@ Please consult with your company's system administrator for more information on 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. 6. Copy the contents of the download installation zip file to the folder created in step 4. 7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. -8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup] to learn more. +8. Modify the config.json file to use the settings you desire. Please go to [Configuration File Setup](#configuration-file-setup) to learn more. 9. Start the Keyfactor Universal Orchestrator Service.
From b56ad3180c6fef489ffbd04d52b5c129621be02b Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 19:26:41 +0000 Subject: [PATCH 074/108] ab#55565 --- readme_source.md | 119 +++++++++++++++++++++++++++++++---------------- 1 file changed, 80 insertions(+), 39 deletions(-) diff --git a/readme_source.md b/readme_source.md index c323ccb1..e312bb6b 100644 --- a/readme_source.md +++ b/readme_source.md @@ -125,7 +125,7 @@ Please consult with your company's system administrator for more information on   ## Remote File Orchestrator Extension Installation 1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. -2. Refer to the [Certificate Store Types](#certificate-store-types) section to create the certificate store types you wish to manage. +2. Refer to the [Creating Certificate Store Types](#creating-certificate-store-types) section to create the certificate store types you wish to manage. 3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. 4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. @@ -163,7 +163,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultSudoImpersonatedUser (Applicable for Linux hosted certificate stores only) -* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. +* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the [Creating Certificate Store Types](#creating-certificate-store-types) section. * Allowed values - Any valid user id that the destination Linux server will recognize * Default value - blank (root will be used) @@ -224,17 +224,17 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
  -## Certificate Store Types +## Creating Certificate Store Types -Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. +Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Next, follow the incstructions under each store type you wish to set up. -
-Common Store Type Settings for all Types: +
+RFPkcs12 Certificate Store Type - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -246,8 +246,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Advanced Tab: - **Store Path Type** - Freeform - - **Supports Custom Alias** - See specific certificate store type instructions below. - - **Private Key Handling** - See specific certificate store type instructions below + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. - **PFX Password Style** - Default - Custom Fields Tab: @@ -256,28 +256,6 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -- Entry Parameters Tab: - - - See specific certificate store type instructions below - -
- -
-RFPkcs12 Certificate Store Type - -- Basic Tab: - - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - -- Advanced Tab: - - - **Supports Custom Alias** - Required. - - **Private Key Handling** - Optional. - -- Custom Fields Tab: - - - no adittional custom fields/parameters - - Entry Parameters Tab: - no additional entry parameters @@ -285,20 +263,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFJKS Certificate Store Type +RFJKS Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: - - no adittional custom fields/parameters + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - Entry Parameters Tab: @@ -307,19 +297,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFPEM Certificate Store Type +RFPEM Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. @@ -333,19 +336,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFDER Certificate Store Type +RFDER Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. - Entry Parameters Tab: @@ -355,20 +371,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFKDB Certificate Store Type +RFKDB Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: - - no adittional custom fields/parameters + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - Entry Parameters Tab: @@ -377,19 +405,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFORA Certificate Store Type +RFORA Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. - Entry Parameters Tab: @@ -432,7 +473,7 @@ Steps to create a new supported file based certificate store type: 8. After compiling, move all compiled files, including the config.json and manifest.json to {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. 9. Create the certificate store type in Keyfactor Command 10. Add a new CURL script to build the proper Keyfactor Command certificate store type and place it under "Certificate Store Type CURL Scripts". The name of the file should match the ShortName you are using for the new store type. -11. Update the documenation in readme_source.md by adding a new section under "Certificate Store Types" for this new supported file based store type. Include a pointer to the CURL script created in step 10. +11. Update the documenation in readme_source.md by adding a new section under [Creating Certificate Store Types](#creating-certificate-store-types) for this new supported file based store type. Include a pointer to the CURL script created in step 10.     ## License From 7d7e3c82c5bac0936bee0af3993057d6e6fb2790 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 19:27:17 +0000 Subject: [PATCH 075/108] Update generated README --- README.md | 119 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 80 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index eae4cb46..2287245a 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,7 @@ Please consult with your company's system administrator for more information on   ## Remote File Orchestrator Extension Installation 1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. -2. Refer to the [Certificate Store Types](#certificate-store-types) section to create the certificate store types you wish to manage. +2. Refer to the [Creating Certificate Store Types](#creating-certificate-store-types) section to create the certificate store types you wish to manage. 3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. 4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. @@ -264,7 +264,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultSudoImpersonatedUser (Applicable for Linux hosted certificate stores only) -* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the Certificate Store Types section. +* Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is set to an empty string, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see later in this section) as well as permissions to execute the commands listed in the "Prerequisites and Security Considerations" section above. This value will be used for all certificate stores managed by this orchestrator extension implementation UNLESS overriden by the SudoImpersonatedUser certificate store type custom field setting described later in the [Creating Certificate Store Types](#creating-certificate-store-types) section. * Allowed values - Any valid user id that the destination Linux server will recognize * Default value - blank (root will be used) @@ -325,17 +325,17 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
  -## Certificate Store Types +## Creating Certificate Store Types -Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. This section is broken out into the store type settings that are common for all managed certificate store types, followed by each individual store type and it's additional or different settings. +Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Next, follow the incstructions under each store type you wish to set up. -
-Common Store Type Settings for all Types: +
+RFPkcs12 Certificate Store Type - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **ShortName** - Required. See specific certificate store type instructions below. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -347,8 +347,8 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Advanced Tab: - **Store Path Type** - Freeform - - **Supports Custom Alias** - See specific certificate store type instructions below. - - **Private Key Handling** - See specific certificate store type instructions below + - **Supports Custom Alias** - Required. + - **Private Key Handling** - Optional. - **PFX Password Style** - Default - Custom Fields Tab: @@ -357,28 +357,6 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. -- Entry Parameters Tab: - - - See specific certificate store type instructions below - -
- -
-RFPkcs12 Certificate Store Type - -- Basic Tab: - - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. - -- Advanced Tab: - - - **Supports Custom Alias** - Required. - - **Private Key Handling** - Optional. - -- Custom Fields Tab: - - - no adittional custom fields/parameters - - Entry Parameters Tab: - no additional entry parameters @@ -386,20 +364,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFJKS Certificate Store Type +RFJKS Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: - - no adittional custom fields/parameters + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - Entry Parameters Tab: @@ -408,19 +398,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFPEM Certificate Store Type +RFPEM Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** IsTrustStore, **Display Name:** Trust Store, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true', this store will be identified as a trust store. Any certificates attempting to be added via a Management-Add job that contain a private key will raise an error with an accompanying message. Multiple certificates may be added to the store in this use case. If set to 'false', this store can only contain a single certificate with chain and private key. Management-Add jobs attempting to add a certificate without a private key to a store marked as IsTrustStore = 'false' will raise an error with an accompanying message. - **Name:** IncludesChain, **Display Name:** Store Includes Chain, **Type:** Bool, **Default Value:** false. This custom field is **not required**. Default value if not present is 'false'. If 'true' the full certificate chain, if sent by Keyfactor Command, will be stored in the file. The order of appearance is always assumed to be 1) end entity certificate, 2) issuing CA certificate, and 3) root certificate. If additional CA tiers are applicable, the order will be end entity certificate up to the root CA certificate. if set to 'false', only the end entity certificate and private key will be stored in this store. This setting is only valid when IsTrustStore = false. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that the private key for the certificate stored in this file will be inside the same file as the certificate. If the full path AND file name is put here, that location will be used to store the private key as an external file. This setting is only valid when IsTrustStore = false. @@ -434,19 +437,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFDER Certificate Store Type +RFDER Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Forbidden. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** SeparatePrivateKeyFilePath, **Display Name:** Separate Private Key File Location, **Type:** String, **Default Value:** empty. This custom field is **not required**. If empty, or not provided, it will be assumed that there is no private key associated with this DER store. If the full path AND file name is entered here, that location will be used to store the private key as an external file in DER format. - Entry Parameters Tab: @@ -456,20 +472,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFKDB Certificate Store Type +RFKDB Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: - - no adittional custom fields/parameters + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - Entry Parameters Tab: @@ -478,19 +506,32 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFORA Certificate Store Type +RFORA Certificate Store Type - Basic Tab: + - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Custom Capability** - Unchecked + - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. + - **Needs Server** - Checked + - **Blueprint Allowed** - Checked if you wish to make use of blueprinting. Please refer to the Keyfactor Command Reference Guide for more details on this feature. + - **Uses PowerShell** - Unchecked + - **Requires Store Password** - Checked. NOTE: This does not require that a certificate store have a password, but merely ensures that a user who creates a Keyfactor Command Certificate Store MUST click the Store Password button and either enter a password or check No Password. Certificate stores with no passwords are still possible for certain certificate store types when checking this option. + - **Supports Entry Password** - Unchecked. - Advanced Tab: + - **Store Path Type** - Freeform - **Supports Custom Alias** - Required. - **Private Key Handling** - Optional. + - **PFX Password Style** - Default - Custom Fields Tab: + - **Name:** LinuxFilePermissionsOnStoreCreation, **Display Name:** Linux File Permissions on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultLinuxPermissionsOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, must be 3 digits all between 0-7. This represents the Linux file permissions that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". + - **Name:** LinuxFileOwnerOnStoreCreation, **Display Name:** Linux File Owner on Store Creation, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultOwnerOnStoreCreation setting in config.json (see Configuration File Setup section above). This value, applicable to certificate stores hosted on Linux orchestrated servers only, represents the alternate Linux file owner/group that will be set for this certificate store if created via a Management Create job or a Management Add job where the config.json option CreateStoreOnAddIsMissing is set to "Y". If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please confirm that the user name associated with this Keyfactor certificate store has valid permissions to chown the certificate file to this owner. + - **Name:** SudoImpersonatedUser, **Display Name:** Sudo Impersonated User Id, **Type:** String, **Default Value:** none. This custom field is **not required**. If not present, value reverts back to the DefaultSudoImpersonatedUser setting in config.json (see Configuration File Setup section above). Used in conjunction with UseSudo="Y", this optional setting can be used to set an alternate user id you wish to impersonate with sudo. If this option does not exist or is empty, and nothing is set for DefaultSudoImpersonatedUser in your config.json, the default user of "root" will be used. Any user id used here must have permissions to SCP/SFTP files to/from each certificate store location OR the SeparateUploadFilePath (see Configuration File Setup section above) as well as permissions to execute the commands listed in the "Security Considerations" section above. - **Name:** WorkFolder, **Display Name:** Work Folder, **Type:** String, **Default Value:** empty. This custom field is **required**. This required field should contain the path on the managed server where temporary work files can be created during Inventory and Management jobs. These files will be removed at the end of each job Please make sure that user id you have assigned to this certificate store will have access to create, modify, and delete files from this folder. - Entry Parameters Tab: @@ -533,7 +574,7 @@ Steps to create a new supported file based certificate store type: 8. After compiling, move all compiled files, including the config.json and manifest.json to {Keyfactor Orchestrator Installation Folder}\Extensions\RemoteFile. 9. Create the certificate store type in Keyfactor Command 10. Add a new CURL script to build the proper Keyfactor Command certificate store type and place it under "Certificate Store Type CURL Scripts". The name of the file should match the ShortName you are using for the new store type. -11. Update the documenation in readme_source.md by adding a new section under "Certificate Store Types" for this new supported file based store type. Include a pointer to the CURL script created in step 10. +11. Update the documenation in readme_source.md by adding a new section under [Creating Certificate Store Types](#creating-certificate-store-types) for this new supported file based store type. Include a pointer to the CURL script created in step 10.     ## License From c519ae6f2117478c8febec8dff81775cf007cd7c Mon Sep 17 00:00:00 2001 From: leefine02 Date: Tue, 23 Apr 2024 19:32:01 +0000 Subject: [PATCH 076/108] ab#55565 --- readme_source.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/readme_source.md b/readme_source.md index e312bb6b..26eeaf09 100644 --- a/readme_source.md +++ b/readme_source.md @@ -229,7 +229,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Next, follow the incstructions under each store type you wish to set up.
-RFPkcs12 Certificate Store Type +RFPkcs12 - Pkcs12 formatted certificate file (including java keystores of type PKCS12) - Basic Tab: @@ -263,7 +263,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFJKS Certificate Store Type +RFJKS - Java keystore - Basic Tab: @@ -297,7 +297,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFPEM Certificate Store Type +RFPEM - PEM formatted certificate file - Basic Tab: @@ -336,7 +336,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFDER Certificate Store Type +RFDER - DER formatted certificate file - Basic Tab: @@ -371,7 +371,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFKDB Certificate Store Type +RFKDB - IBM Key Database File - Basic Tab: @@ -405,7 +405,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFORA Certificate Store Type +RFORA - Oracle Wallet - Basic Tab: From 0eed1bff1374a31276dfb104234d6c851c1204f8 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 23 Apr 2024 19:32:40 +0000 Subject: [PATCH 077/108] Update generated README --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2287245a..cf1eaa4f 100644 --- a/README.md +++ b/README.md @@ -330,7 +330,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo Below are the various certificate store types that the RemoteFile Orchestator Extension manages. To create a new Certificate Store Type in Keyfactor Command, first click on settings (the gear icon on the top right) => Certificate Store Types => Add. Next, follow the incstructions under each store type you wish to set up.
-RFPkcs12 Certificate Store Type +RFPkcs12 - Pkcs12 formatted certificate file (including java keystores of type PKCS12) - Basic Tab: @@ -364,7 +364,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFJKS Certificate Store Type +RFJKS - Java keystore - Basic Tab: @@ -398,7 +398,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFPEM Certificate Store Type +RFPEM - PEM formatted certificate file - Basic Tab: @@ -437,7 +437,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFDER Certificate Store Type +RFDER - DER formatted certificate file - Basic Tab: @@ -472,7 +472,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFKDB Certificate Store Type +RFKDB - IBM Key Database File - Basic Tab: @@ -506,7 +506,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
-RFORA Certificate Store Type +RFORA - Oracle Wallet - Basic Tab: From 70e3924ba94189dbea55c5cbde99c0df00ce4b64 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 13:59:52 +0000 Subject: [PATCH 078/108] ab#55565 --- readme_source.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index 26eeaf09..8818d98c 100644 --- a/readme_source.md +++ b/readme_source.md @@ -82,7 +82,8 @@ While the Keyfactor Universal Orchestrator (UO) can be installed on either Windo |-----|-----|------| |Orchestrated Server on remote Windows server|✓ |✓ | |Orchestrated Server on remote Linux server|✓ |✓ | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +     ## Versioning From dccf5f32947cdec03f6bec44587ff27bb9ba4479 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:00:33 +0000 Subject: [PATCH 079/108] Update generated README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cf1eaa4f..03e863bf 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,8 @@ While the Keyfactor Universal Orchestrator (UO) can be installed on either Windo |-----|-----|------| |Orchestrated Server on remote Windows server|✓ |✓ | |Orchestrated Server on remote Linux server|✓ |✓ | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +     ## Versioning From 18634af18826bfec4b668657e8c300909c2c41bd Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:15:21 +0000 Subject: [PATCH 080/108] ab#55565 --- readme_source.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/readme_source.md b/readme_source.md index 8818d98c..03a86b9a 100644 --- a/readme_source.md +++ b/readme_source.md @@ -80,11 +80,11 @@ While the Keyfactor Universal Orchestrator (UO) can be installed on either Windo | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ |✓ | -|Orchestrated Server on remote Linux server|✓ |✓ | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +|Orchestrated Server on remote Windows server|✓ WinRM connection |✓ SSH connection | +|Orchestrated Server on remote Linux server|✓ SSH connection |✓ SSH connection | +|Orchestrated Server on same server as orchestrator service (Agent)|✓ WinRM connection or local file system |✓ SSH connection or local file system | -  +When the RemoteFile Orchestrator Extension is installd on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more other *orchestrated* servers. When the Remote File Orchestrator Extension is installed but only manages certificate stores on the *same server*, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures.   ## Versioning @@ -441,7 +441,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
  -## Creating Certificate Stores and Scheduling Discovery Jobs +## Certificate Stores and Discovery Jobs Please refer to the Keyfactor Command Reference Guide for information on creating certificate stores and scheduling Discovery jobs in Keyfactor Command. However, there are a few fields that are important to highlight here - Client Machine, Store Path (Creating Certificate Stores), and Directories to search (Discovery jobs) and Extensions (Discovery jobs). For Linux orchestrated servers, "Client Machine" should be the DNS or IP address of the remote orchestrated server while "Store Path" is the full path and file name of the file based store, beginning with a forward slash (/). For Windows orchestrated servers, "Client Machine" should be of the format {protocol}://{dns-or-ip}:{port} where {protocol} is either http or https, {dns-or-ip} is the DNS or IP address of the remote orchestrated server, and {port} is the port where WinRM is listening, by convention usually 5985 for http and 5986 for https. Alternately, entering the keyword "localhost" for "Client Machine" will point to the server where the orchestrator service is installed and WinRM WILL NOT be required. "Store Path" is the full path and file name of the file based store, beginning with a drive letter (i.e. c:\). For example valid values for Client Machine and Store Path for Linux and Windows managed servers may look something like: From 70c9a9da83db64f07856909a0d020edff0797a6c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:16:04 +0000 Subject: [PATCH 081/108] Update generated README --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 03e863bf..b3e4d7be 100644 --- a/README.md +++ b/README.md @@ -181,11 +181,11 @@ While the Keyfactor Universal Orchestrator (UO) can be installed on either Windo | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ |✓ | -|Orchestrated Server on remote Linux server|✓ |✓ | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ |✓ | +|Orchestrated Server on remote Windows server|✓ WinRM connection |✓ SSH connection | +|Orchestrated Server on remote Linux server|✓ SSH connection |✓ SSH connection | +|Orchestrated Server on same server as orchestrator service (Agent)|✓ WinRM connection or local file system |✓ SSH connection or local file system | -  +When the RemoteFile Orchestrator Extension is installd on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more other *orchestrated* servers. When the Remote File Orchestrator Extension is installed but only manages certificate stores on the *same server*, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures.   ## Versioning @@ -542,7 +542,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex
  -## Creating Certificate Stores and Scheduling Discovery Jobs +## Certificate Stores and Discovery Jobs Please refer to the Keyfactor Command Reference Guide for information on creating certificate stores and scheduling Discovery jobs in Keyfactor Command. However, there are a few fields that are important to highlight here - Client Machine, Store Path (Creating Certificate Stores), and Directories to search (Discovery jobs) and Extensions (Discovery jobs). For Linux orchestrated servers, "Client Machine" should be the DNS or IP address of the remote orchestrated server while "Store Path" is the full path and file name of the file based store, beginning with a forward slash (/). For Windows orchestrated servers, "Client Machine" should be of the format {protocol}://{dns-or-ip}:{port} where {protocol} is either http or https, {dns-or-ip} is the DNS or IP address of the remote orchestrated server, and {port} is the port where WinRM is listening, by convention usually 5985 for http and 5986 for https. Alternately, entering the keyword "localhost" for "Client Machine" will point to the server where the orchestrator service is installed and WinRM WILL NOT be required. "Store Path" is the full path and file name of the file based store, beginning with a drive letter (i.e. c:\). For example valid values for Client Machine and Store Path for Linux and Windows managed servers may look something like: From b7ac12040540054172c46428b6815e5c9c7f709c Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:23:27 +0000 Subject: [PATCH 082/108] ab#55565 --- readme_source.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/readme_source.md b/readme_source.md index 03a86b9a..fa385ce2 100644 --- a/readme_source.md +++ b/readme_source.md @@ -76,16 +76,18 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) can be installed on either Windows or Linux; likewise, the Remote File Orchestrator Extension can be used to manage certificate stores residing on both Windows and Linux servers. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below: +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ WinRM connection |✓ SSH connection | -|Orchestrated Server on remote Linux server|✓ SSH connection |✓ SSH connection | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ WinRM connection or local file system |✓ SSH connection or local file system | +|Orchestrated Server on remote Windows server|WinRM connection | SSH connection | +|Orchestrated Server on remote Linux server| SSH connection | SSH connection | +|Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | -When the RemoteFile Orchestrator Extension is installd on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more other *orchestrated* servers. When the Remote File Orchestrator Extension is installed but only manages certificate stores on the *same server*, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. + +&bnsp;   + ## Versioning The version number of a the Remote File Orchestrator Extension can be verified by right clicking on the RemoteFile.dll file in the Extensions/RemoteFile installation folder, selecting Properties, and then clicking on the Details tab. From 18e9e5c09de854df8a043208e5d84a2b66b6ea99 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:24:00 +0000 Subject: [PATCH 083/108] Update generated README --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b3e4d7be..15a6b58c 100644 --- a/README.md +++ b/README.md @@ -177,16 +177,18 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) can be installed on either Windows or Linux; likewise, the Remote File Orchestrator Extension can be used to manage certificate stores residing on both Windows and Linux servers. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below: +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|✓ WinRM connection |✓ SSH connection | -|Orchestrated Server on remote Linux server|✓ SSH connection |✓ SSH connection | -|Orchestrated Server on same server as orchestrator service (Agent)|✓ WinRM connection or local file system |✓ SSH connection or local file system | +|Orchestrated Server on remote Windows server|WinRM connection | SSH connection | +|Orchestrated Server on remote Linux server| SSH connection | SSH connection | +|Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | -When the RemoteFile Orchestrator Extension is installd on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more other *orchestrated* servers. When the Remote File Orchestrator Extension is installed but only manages certificate stores on the *same server*, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. + +&bnsp;   + ## Versioning The version number of a the Remote File Orchestrator Extension can be verified by right clicking on the RemoteFile.dll file in the Extensions/RemoteFile installation folder, selecting Properties, and then clicking on the Details tab. From b7fc0d75dddefb50bce42cf88bb220d52e5ce68c Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:24:39 +0000 Subject: [PATCH 084/108] ab#55565 --- readme_source.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index fa385ce2..4708c546 100644 --- a/readme_source.md +++ b/readme_source.md @@ -83,9 +83,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server on remote Linux server| SSH connection | SSH connection | |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | - - -&bnsp; +    ## Versioning From b9fd15da421324e6d9a8b0c7df529ceed53c4664 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:25:20 +0000 Subject: [PATCH 085/108] Update generated README --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 15a6b58c..324ab579 100644 --- a/README.md +++ b/README.md @@ -184,9 +184,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server on remote Linux server| SSH connection | SSH connection | |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | - - -&bnsp; +    ## Versioning From 3bd684d132e384a603a3e1aaeb405123270c4921 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:25:35 +0000 Subject: [PATCH 086/108] ab#55565 --- readme_source.md | 1 + 1 file changed, 1 insertion(+) diff --git a/readme_source.md b/readme_source.md index 4708c546..eff421c5 100644 --- a/readme_source.md +++ b/readme_source.md @@ -83,6 +83,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server on remote Linux server| SSH connection | SSH connection | |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +     From 5b95c039c8eb11741e2181344ed28c3d581a0b92 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:26:13 +0000 Subject: [PATCH 087/108] Update generated README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 324ab579..f8d42f29 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server on remote Linux server| SSH connection | SSH connection | |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +     From 26beb9cae943e4e79c9c4b6318163529804d80a6 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:26:19 +0000 Subject: [PATCH 088/108] ab#55565 --- readme_source.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index eff421c5..7ea77edb 100644 --- a/readme_source.md +++ b/readme_source.md @@ -85,8 +85,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system |   -  - +  ## Versioning The version number of a the Remote File Orchestrator Extension can be verified by right clicking on the RemoteFile.dll file in the Extensions/RemoteFile installation folder, selecting Properties, and then clicking on the Details tab. From 4364df620e35dd0b92902c084c2086acb8c35c8e Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:26:52 +0000 Subject: [PATCH 089/108] Update generated README --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index f8d42f29..5f21d16b 100644 --- a/README.md +++ b/README.md @@ -186,8 +186,7 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte |Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system |   -  - +  ## Versioning The version number of a the Remote File Orchestrator Extension can be verified by right clicking on the RemoteFile.dll file in the Extensions/RemoteFile installation folder, selecting Properties, and then clicking on the Details tab. From 1472576b99492929fa20d2cab087555982712dd1 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:27:47 +0000 Subject: [PATCH 090/108] ab#55565 --- readme_source.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/readme_source.md b/readme_source.md index 7ea77edb..04079e12 100644 --- a/readme_source.md +++ b/readme_source.md @@ -80,11 +80,10 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|WinRM connection | SSH connection | -|Orchestrated Server on remote Linux server| SSH connection | SSH connection | -|Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | +|Orchestrated Server certificate store(s) on remote Linux server| SSH connection | SSH connection | +|Orchestrated Server certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | -    ## Versioning From 42aee1a5a6261eab7b1985b89a9144ffb8f66360 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:28:28 +0000 Subject: [PATCH 091/108] Update generated README --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5f21d16b..32ef1de4 100644 --- a/README.md +++ b/README.md @@ -181,11 +181,10 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| -|Orchestrated Server on remote Windows server|WinRM connection | SSH connection | -|Orchestrated Server on remote Linux server| SSH connection | SSH connection | -|Orchestrated Server on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | +|Orchestrated Server certificate store(s) on remote Linux server| SSH connection | SSH connection | +|Orchestrated Server certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | -    ## Versioning From 34ea325b66a6b24e9b31311586a26d0d2610764e Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 14:29:12 +0000 Subject: [PATCH 092/108] ab#55565 --- readme_source.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme_source.md b/readme_source.md index 04079e12..e95f2594 100644 --- a/readme_source.md +++ b/readme_source.md @@ -81,8 +81,8 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| |Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | -|Orchestrated Server certificate store(s) on remote Linux server| SSH connection | SSH connection | -|Orchestrated Server certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | +|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system |   ## Versioning From d5ea05a4de44e7bd4d471fb300601f6392acf5b4 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 14:29:54 +0000 Subject: [PATCH 093/108] Update generated README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 32ef1de4..36782cb1 100644 --- a/README.md +++ b/README.md @@ -182,8 +182,8 @@ While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Exte | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| |Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | -|Orchestrated Server certificate store(s) on remote Linux server| SSH connection | SSH connection | -|Orchestrated Server certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | +|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system |   ## Versioning From 79e31a501af3e714b7a1864678f232c0e1e353d5 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 17:40:11 +0000 Subject: [PATCH 094/108] ab#55565 --- readme_source.md | 47 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/readme_source.md b/readme_source.md index e95f2594..c2a12bba 100644 --- a/readme_source.md +++ b/readme_source.md @@ -76,7 +76,7 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -442,16 +442,49 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex   ## Certificate Stores and Discovery Jobs -Please refer to the Keyfactor Command Reference Guide for information on creating certificate stores and scheduling Discovery jobs in Keyfactor Command. However, there are a few fields that are important to highlight here - Client Machine, Store Path (Creating Certificate Stores), and Directories to search (Discovery jobs) and Extensions (Discovery jobs). For Linux orchestrated servers, "Client Machine" should be the DNS or IP address of the remote orchestrated server while "Store Path" is the full path and file name of the file based store, beginning with a forward slash (/). For Windows orchestrated servers, "Client Machine" should be of the format {protocol}://{dns-or-ip}:{port} where {protocol} is either http or https, {dns-or-ip} is the DNS or IP address of the remote orchestrated server, and {port} is the port where WinRM is listening, by convention usually 5985 for http and 5986 for https. Alternately, entering the keyword "localhost" for "Client Machine" will point to the server where the orchestrator service is installed and WinRM WILL NOT be required. "Store Path" is the full path and file name of the file based store, beginning with a drive letter (i.e. c:\). For example valid values for Client Machine and Store Path for Linux and Windows managed servers may look something like: +When creating new certificate stores or scheduling discovery jobs in Keyfactor Command, there are a few fields that are important to highlight here: + +
+Client Machine (certificate stores and discovery jobs) + +For Linux orchestrated servers, "Client Machine" should be the DNS name or IP address of the remote orchestrated server, while for Windows orchestratred servers, it should be the following URL format: protocol://dns-or-ip:port, where +* protocol is http or https, whatever your WinRM configuration uses +* dns-or-ip is the DNS name or IP address of the server +* port is the port WinRM is running under, usually 5985 for http and 5986 for https. + +If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. + +
-Linux: Client Machine - 127.0.0.1 or MyLinuxServerName; Store Path - /home/folder/path/storename.ext -Windows: Client Machine - https://My.Server.Domain:5986; Store Path - c:\folder\path\storename.ext -Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting to a Linux server using SSH private key authentication. +
+Store Path (certificate stores) + +For Linux orchestrated servers, "StorePath" will begin with a forward slash (/) and contain the full path and file name, including file extension if one exists (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should be the full path and file name, including file extension if one exists, beginning with a drive letter (i.e. c:\folder\path\storename.ext). + +
+ +
+Server Username/Password -For "Directories to search", you can chain paths with a comma delimiter as documented in the Keyfactor Command Reference Guide, but there is also a special value that can be used instead - fullscan. Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters and recursively search all of them for files matching the other search criteria. +Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password. + +
+
+Directories to Search (discovery jobs) + +Enter one or more comma delimitted file paths to search (please reference the Keyfactor Command Reference Guide for more information), but there is also a special value that can be used on Windows orchestrated servers instead - "fullscan". Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters at the root and recursively search all of them for files matching the other search criteria. + +
+ +
+Extensions (discovery jobs) + +In addition to entering one or more comma delimitted extensions to search for (please reference the Keyfactor Command Reference Guide for more information), a reserved value of "noext" can be used that will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using the comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to return file locations with extensions of "pem", "jks", *and* files that do not have extensions. + +
-For "Extensions", a reserved value of noext will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using a comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to search for files with extensions of PEM or JKS or files that do not have extensions. +Please refer to the Keyfactor Command Reference Guide for complete information on creating certificate stores and scheduling discovery jobs in Keyfactor Command.     ## Developer Notes From d6247650a40f2df5a48a4ef67c29f07cc8436b89 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 17:40:46 +0000 Subject: [PATCH 095/108] Update generated README --- README.md | 47 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 36782cb1..e7b237c1 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,7 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -543,16 +543,49 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex   ## Certificate Stores and Discovery Jobs -Please refer to the Keyfactor Command Reference Guide for information on creating certificate stores and scheduling Discovery jobs in Keyfactor Command. However, there are a few fields that are important to highlight here - Client Machine, Store Path (Creating Certificate Stores), and Directories to search (Discovery jobs) and Extensions (Discovery jobs). For Linux orchestrated servers, "Client Machine" should be the DNS or IP address of the remote orchestrated server while "Store Path" is the full path and file name of the file based store, beginning with a forward slash (/). For Windows orchestrated servers, "Client Machine" should be of the format {protocol}://{dns-or-ip}:{port} where {protocol} is either http or https, {dns-or-ip} is the DNS or IP address of the remote orchestrated server, and {port} is the port where WinRM is listening, by convention usually 5985 for http and 5986 for https. Alternately, entering the keyword "localhost" for "Client Machine" will point to the server where the orchestrator service is installed and WinRM WILL NOT be required. "Store Path" is the full path and file name of the file based store, beginning with a drive letter (i.e. c:\). For example valid values for Client Machine and Store Path for Linux and Windows managed servers may look something like: +When creating new certificate stores or scheduling discovery jobs in Keyfactor Command, there are a few fields that are important to highlight here: + +
+Client Machine (certificate stores and discovery jobs) + +For Linux orchestrated servers, "Client Machine" should be the DNS name or IP address of the remote orchestrated server, while for Windows orchestratred servers, it should be the following URL format: protocol://dns-or-ip:port, where +* protocol is http or https, whatever your WinRM configuration uses +* dns-or-ip is the DNS name or IP address of the server +* port is the port WinRM is running under, usually 5985 for http and 5986 for https. + +If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. + +
-Linux: Client Machine - 127.0.0.1 or MyLinuxServerName; Store Path - /home/folder/path/storename.ext -Windows: Client Machine - https://My.Server.Domain:5986; Store Path - c:\folder\path\storename.ext -Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting to a Linux server using SSH private key authentication. +
+Store Path (certificate stores) + +For Linux orchestrated servers, "StorePath" will begin with a forward slash (/) and contain the full path and file name, including file extension if one exists (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should be the full path and file name, including file extension if one exists, beginning with a drive letter (i.e. c:\folder\path\storename.ext). + +
+ +
+Server Username/Password -For "Directories to search", you can chain paths with a comma delimiter as documented in the Keyfactor Command Reference Guide, but there is also a special value that can be used instead - fullscan. Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters and recursively search all of them for files matching the other search criteria. +Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password. + +
+
+Directories to Search (discovery jobs) + +Enter one or more comma delimitted file paths to search (please reference the Keyfactor Command Reference Guide for more information), but there is also a special value that can be used on Windows orchestrated servers instead - "fullscan". Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters at the root and recursively search all of them for files matching the other search criteria. + +
+ +
+Extensions (discovery jobs) + +In addition to entering one or more comma delimitted extensions to search for (please reference the Keyfactor Command Reference Guide for more information), a reserved value of "noext" can be used that will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using the comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to return file locations with extensions of "pem", "jks", *and* files that do not have extensions. + +
-For "Extensions", a reserved value of noext will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using a comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to search for files with extensions of PEM or JKS or files that do not have extensions. +Please refer to the Keyfactor Command Reference Guide for complete information on creating certificate stores and scheduling discovery jobs in Keyfactor Command.     ## Developer Notes From 6373816ca828c4692864eb970e7de3e60611cfae Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 17:59:19 +0000 Subject: [PATCH 096/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index c2a12bba..9b6c53a0 100644 --- a/readme_source.md +++ b/readme_source.md @@ -467,7 +467,7 @@ For Linux orchestrated servers, "StorePath" will begin with a forward slash (/)
Server Username/Password -Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password. +A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration). The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password.
From e217416545ea6b7605ccf69f959c913f4b27f7f5 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 17:59:50 +0000 Subject: [PATCH 097/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e7b237c1..9a14e9f5 100644 --- a/README.md +++ b/README.md @@ -568,7 +568,7 @@ For Linux orchestrated servers, "StorePath" will begin with a forward slash (/)
Server Username/Password -Credentials **must** be entered: a user id and either a password or valid PAM key if the password is stored in a KF Command configured PAM integration. Alternatively, this password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password. +A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration). The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password.
From d2485d27dd7d1d0037b98a97bf86f1dbf98b173c Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 21:10:48 +0000 Subject: [PATCH 098/108] ab#55565 --- readme_source.md | 64 +++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/readme_source.md b/readme_source.md index 9b6c53a0..e4416b0d 100644 --- a/readme_source.md +++ b/readme_source.md @@ -8,8 +8,8 @@ The Remote File Orchestrator Extension is a multi-purpose integration that can r The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -20,8 +20,8 @@ Use cases supported: The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -58,8 +58,8 @@ Use cases supported: The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -70,13 +70,13 @@ Use cases supported: The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -95,7 +95,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b
Certificate stores hosted on Linux servers: -1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: + +1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". The full list of these commands below: |Shell Command|Used For| |---|---| @@ -107,27 +108,30 @@ The version number of a the Remote File Orchestrator Extension can be verified b |rm|Used by Inventory and Management Add/Remove jobs to remove temporary files (only when an alternate upload/download folder has been configured).| |install|Used by the Management Create Store job when initializing a certificate store file.| |orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store. Used for the RFORA store type only.| -|gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| +|gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| + +2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. -2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). +3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. -3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.
Certificate stores hosted on Windows servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). +1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension. + +
Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -
  ## Remote File Orchestrator Extension Installation 1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. 2. Refer to the [Creating Certificate Store Types](#creating-certificate-store-types) section to create the certificate store types you wish to manage. 3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. -4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. +4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator for a Windows install or /opt/keyfactor/orchestrator/ for a Linux install), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. 6. Copy the contents of the download installation zip file to the folder created in step 4. 7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. @@ -154,7 +158,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
UseSudo (Applicable for Linux hosted certificate stores only) -* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. +* Determines whether to prefix Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. * Allowed values - Y/N * Default value - N @@ -188,7 +192,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-SeparateUploadFilePath(Applicable for Linux hosted certificate stores only) +SeparateUploadFilePath (Applicable for Linux hosted certificate stores only) * Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). * Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. @@ -208,7 +212,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux hosted certificate stores only) -* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). +* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store. See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types. * Allowed values - Any 3 digit value from 000-777. * Default Value - 600. @@ -217,7 +221,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultOwnerOnStoreCreation (Applicable for Linux hosted certificate stores only) -* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. +* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store can override this value for a specific store. See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types. * Allowed values - Any valid user id that the destination Linux server will recognize * Default Value - blank (the ID associated with the Keyfactor certificate store will be used). @@ -234,7 +238,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -268,7 +272,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -302,7 +306,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -341,7 +345,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -376,7 +380,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -410,7 +414,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -458,27 +462,27 @@ If running as an agent (accessing stores on the server where the Universal Orche
-Store Path (certificate stores) +Store Path (certificate stores only) For Linux orchestrated servers, "StorePath" will begin with a forward slash (/) and contain the full path and file name, including file extension if one exists (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should be the full path and file name, including file extension if one exists, beginning with a drive letter (i.e. c:\folder\path\storename.ext).
-Server Username/Password +Server Username/Password (certificate stores and discovery jobs) A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration). The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password.
-Directories to Search (discovery jobs) +Directories to Search (discovery jobs only) Enter one or more comma delimitted file paths to search (please reference the Keyfactor Command Reference Guide for more information), but there is also a special value that can be used on Windows orchestrated servers instead - "fullscan". Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters at the root and recursively search all of them for files matching the other search criteria.
-Extensions (discovery jobs) +Extensions (discovery jobs only) In addition to entering one or more comma delimitted extensions to search for (please reference the Keyfactor Command Reference Guide for more information), a reserved value of "noext" can be used that will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using the comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to return file locations with extensions of "pem", "jks", *and* files that do not have extensions. From 3dfb392f72c2daaa1e31d3a9db459b0c75aeab6b Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 21:11:27 +0000 Subject: [PATCH 099/108] Update generated README --- README.md | 64 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 9a14e9f5..588e6b3c 100644 --- a/README.md +++ b/README.md @@ -109,8 +109,8 @@ The Remote File Orchestrator Extension is a multi-purpose integration that can r The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -121,8 +121,8 @@ Use cases supported: The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -159,8 +159,8 @@ Use cases supported: The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
@@ -171,13 +171,13 @@ Use cases supported: The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. Use cases supported: -1. One-to-many trust entries - A single certificate without a private key in a certificate store. Each certificate identified with a custom alias or certificate thumbprint. -2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias or certificate thumbprint. +1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias. +2. One-to-many key entries - One-to-many certificates with private keys and optionally the full certificate chain. Each certificate identified with a custom alias. 3. A mix of trust and key entries.
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are shown below along with : +While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -196,7 +196,8 @@ The version number of a the Remote File Orchestrator Extension can be verified b
Certificate stores hosted on Linux servers: -1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y" (See "Config File Setup" later in this README for more information on setting up the config.json file). The full list of these commands below: + +1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". The full list of these commands below: |Shell Command|Used For| |---|---| @@ -208,27 +209,30 @@ The version number of a the Remote File Orchestrator Extension can be verified b |rm|Used by Inventory and Management Add/Remove jobs to remove temporary files (only when an alternate upload/download folder has been configured).| |install|Used by the Management Create Store job when initializing a certificate store file.| |orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store. Used for the RFORA store type only.| -|gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| +|gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| + +2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. -2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer (See "Config File Setup" later in this README regarding the config.json file). +3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. -3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension (see "Creating Certificate Stores" later in this README, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.
Certificate stores hosted on Windows servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command (See "Creating Certificate Stores" later in this README). +1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension. + +
Please consult with your company's system administrator for more information on configuring SSH/SFTP/SCP or WinRM in your environment. -
  ## Remote File Orchestrator Extension Installation 1. Review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) section and make sure your environment is set up as required. 2. Refer to the [Creating Certificate Store Types](#creating-certificate-store-types) section to create the certificate store types you wish to manage. 3. Stop the Keyfactor Universal Orchestrator Service on the server you plan to install this extension to run on. -4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. +4. In the Keyfactor Orchestrator installation folder (by convention usually C:\Program Files\Keyfactor\Keyfactor Orchestrator for a Windows install or /opt/keyfactor/orchestrator/ for a Linux install), find the "Extensions" folder. Underneath that, create a new folder named "RemoteFile". You may choose to use a different name if you wish. 5. Download the latest version of the RemoteFile orchestrator extension from [GitHub](https://github.com/Keyfactor/remote-file-orchestrator). Click on the "Latest" release link on the right hand side of the main page and download the first zip file. 6. Copy the contents of the download installation zip file to the folder created in step 4. 7. (Optional) If you decide to create one or more certificate store types with short names different than the suggested values, edit the manifest.json file in the folder you created in step 4, and modify each "ShortName" in each "Certstores.{ShortName}.{Operation}" line with the ShortName you used to create the respective certificate store type. @@ -255,7 +259,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
UseSudo (Applicable for Linux hosted certificate stores only) -* Determines whether to prefix certain Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. +* Determines whether to prefix Linux command with "sudo". This can be very helpful in ensuring that the user id running commands over an ssh connection uses "least permissions necessary" to process each task. Setting this value to "Y" will prefix all Linux commands with "sudo" with the expectation that the command being executed on the orchestrated Linux server will look in the sudoers file to determine whether the logged in ID has elevated permissions for that specific command. Setting this value to "N" will result in "sudo" not being added to Linux commands. * Allowed values - Y/N * Default value - N @@ -289,7 +293,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
-SeparateUploadFilePath(Applicable for Linux hosted certificate stores only) +SeparateUploadFilePath (Applicable for Linux hosted certificate stores only) * Set this to the path you wish to use as the location on the orchestrated server to upload/download and later remove temporary work files when processing jobs. If set to "" or not provided, the location of the certificate store itself will be used. File transfer is performed using the SCP or SFTP protocols (see the File TransferProtocol setting). * Allowed values - Any valid, existing Linux path configured to allow SCP/SFTP file upload/download tranfers. @@ -309,7 +313,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultLinuxPermissionsOnStoreCreation (Applicable for Linux hosted certificate stores only) -* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store (See the "Certificatee Store Types Supported" section later in this README). +* The Linux file permissions that will be set on a new certificate store created via a Management Create job or a Management Add job where CreateStoreOnAddIsMissing is set to "Y". This value will be used for all certificate stores managed by this orchestrator instance unless overridden by the optional "Linux File Permissions on Store Creation" custom parameter setting on a specific certificate store. See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types. * Allowed values - Any 3 digit value from 000-777. * Default Value - 600. @@ -318,7 +322,7 @@ The Remote File Orchestrator Extension uses a JSON configuration file. It is lo
DefaultOwnerOnStoreCreation (Applicable for Linux hosted certificate stores only) -* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store (See the "Certificatee Store Types Supported" section later in this README) can override this value for a specific store. +* When a Management job is run to remotely create the physical certificate store on a remote server, by default the file owner and group will be set to the user name associated with the Keyfactor certificate store. Setting DefaultOwnerOnStoreCreation to an alternative valid Linux user name will set that as the owner/group instead. If the group and owner need to be different values, use a ":" as a delimitter between the owner and group values, such as ownerId:groupId. Please make sure that the user associated with the certificate store will have valid permissions to chown the certificate store file to this alernative owner. The optional "Linux File Owner on Store Creation" custom parameter setting for a specific certificate store can override this value for a specific store. See the [Creating Certificate Store Types](#creating-certificate-store-types) section for more information on creating RemoteFile certificate store types. * Allowed values - Any valid user id that the destination Linux server will recognize * Default Value - blank (the ID associated with the Keyfactor certificate store will be used). @@ -335,7 +339,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -369,7 +373,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -403,7 +407,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -442,7 +446,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -477,7 +481,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -511,7 +515,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension}, step 7 above. + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -559,27 +563,27 @@ If running as an agent (accessing stores on the server where the Universal Orche
-Store Path (certificate stores) +Store Path (certificate stores only) For Linux orchestrated servers, "StorePath" will begin with a forward slash (/) and contain the full path and file name, including file extension if one exists (i.e. /folder/path/storename.ext). For Windows orchestrated servers, it should be the full path and file name, including file extension if one exists, beginning with a drive letter (i.e. c:\folder\path\storename.ext).
-Server Username/Password +Server Username/Password (certificate stores and discovery jobs) A username and password (or valid PAM key if the username and/or password is stored in a KF Command configured PAM integration). The password can be an SSH private key if connecting via SSH to a server using SSH private key authentication. If acting as an *agent* using local file access, just check "No Value" for the username and password.
-Directories to Search (discovery jobs) +Directories to Search (discovery jobs only) Enter one or more comma delimitted file paths to search (please reference the Keyfactor Command Reference Guide for more information), but there is also a special value that can be used on Windows orchestrated servers instead - "fullscan". Entering fullscan in this field will tell the RemoteFile discovery job to search all available drive letters at the root and recursively search all of them for files matching the other search criteria.
-Extensions (discovery jobs) +Extensions (discovery jobs only) In addition to entering one or more comma delimitted extensions to search for (please reference the Keyfactor Command Reference Guide for more information), a reserved value of "noext" can be used that will cause the RemoteFile discovery job to search for files that do not have an extension. This value can be chained with other extensions using the comma delimiter. For example, entering pem,jks,noext will cause the RemoteFile discovery job to return file locations with extensions of "pem", "jks", *and* files that do not have extensions. From a19dceb33be8f3e8dfb4bf1b895c4a416754d7fe Mon Sep 17 00:00:00 2001 From: leefine02 Date: Wed, 24 Apr 2024 21:14:34 +0000 Subject: [PATCH 100/108] ab#55565 --- readme_source.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/readme_source.md b/readme_source.md index e4416b0d..12d5304e 100644 --- a/readme_source.md +++ b/readme_source.md @@ -238,7 +238,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -272,7 +272,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -306,7 +306,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -345,7 +345,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -380,7 +380,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -414,7 +414,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked From b117085f6fff4f153ab3e33682e051c673fd5440 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 24 Apr 2024 21:15:07 +0000 Subject: [PATCH 101/108] Update generated README --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 588e6b3c..205412d0 100644 --- a/README.md +++ b/README.md @@ -339,7 +339,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPkcs12**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -373,7 +373,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFJKS**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -407,7 +407,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFPEM**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -446,7 +446,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFDER**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -481,7 +481,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFKDB**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked @@ -515,7 +515,7 @@ Below are the various certificate store types that the RemoteFile Orchestator Ex - Basic Tab: - **Name** – Required. The display name you wish to use for the new Certificate Store Type. - - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation}, step 7 above. + - **Short Name** – Required. Suggested value - **RFORA**. If you choose to use a different value you must make the corresponding modification to the manifest.json file. See [Remote File Orchestrator Extension Installation](#remote-file-orchestrator-extension-installation), step 7 above. - **Custom Capability** - Unchecked - **Supported Job Types** - Inventory, Add, Remove, Create, and Discovery should all be checked. - **Needs Server** - Checked From a0d40e9ec119f55b8656a869a18e785b41efab8a Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 25 Apr 2024 14:15:50 +0000 Subject: [PATCH 102/108] ab#55565 --- images/orchestrator-agent.png | Bin 0 -> 24789 bytes readme_source.md | 15 +++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 images/orchestrator-agent.png diff --git a/images/orchestrator-agent.png b/images/orchestrator-agent.png new file mode 100644 index 0000000000000000000000000000000000000000..bdeaea4ca824b94458eb8db592e33835d4a67ba7 GIT binary patch literal 24789 zcmagFbySpX*EcL(A|MQ)^pMi1gmev^lF}*CqS7TGHIyhR(jddojifZ9h;)oJNDkdY zyyw7m-_P}Y-?!fHk6CNhxsKR-AHSW)J|eX=6p0D%6W+RYi&$An{^_k-n0mKvVF=*k z0$=o^46JY6V!Wj+FQe;)f%HGE8yOixq6W5(_h}X{c4mZ|wkMe}a~=mXrgNk}4u-xB zHsR&)V2t4bTSZyCKExE_$TEYFif!WH#Fo#b6d2l!N-FEY9r8=Q_Vg-Orqzsp5=%|B zV^2IMu>@nvzr`oT083*>+#*}O7j!jPg>#?r-ycb#ob=fL8uU{7ZB8GC{HK2pf`H=w zS>pPu2&1(2@-49Xf7V5R%z^gYBKw~?w4_ z`M>tgf-MMKQ~J*wJZug)t#lp%_F!cf2Y>t9pSJ88h)ScC^z%}>_vpXd1bG2d z7Tg}VZ>0!W<3dQ@#ql$aqFryQKJLn9#^Jf9tq^*LR&4N9*JW@@oM|Uyx#2$*?B^=o0Mp{ADv!%LrYcwz@DCs8X}SnboY!lL6RzT=YW!F@3G8Vd&#j+o7^NW zSPpbf;mR8h=~^R&q$978=KiC8rX4M{LC&4g4-s{T1Q&%QFA5M2n&Z9WHi%qt3U}m7 z9Wj#|N^X(i1Edg=J(zEShUPuvtS^>@KtM-&BK8?!lu!bE0uV1J=WihjnX%X-I~<}- zINeBB%i%rLr)m?_Z@-w)qcU60$~Wfz(yqkhH){^jn*^Us~#(*8k=bOa!v z2ql7JJ#j;A@&*D+3!D%_QZAq0xTmCa%F0N?id+4}RMai1 zCd4_NPIg-BH%lbTQn`M&e#Y$e&|yi~!2XHJWo*>}kQ!EexG;5_qX3g<+R z+8I`$P^t*bJeFOGF(T)}6MQ@G-%^w;Ao}cY1kRKGAW{AE&d53z#Cozb3CeBP(0nwU zMO@1T$GphLASt_>jMVL{zq(i~gBnQ5#=<~0ZeU0k z-n(@5G2Ge`3mFMxdP4q$+?FwIx6r2g23T3Z3!0_uQV^uKYIkx%H^srXc+slT*&;6T zKPWQ-RCWm5{?;3XJ_F6g5mjQN%lXs2zv-Dt({2uV2t@6;QL&Hh)JXFemWM`r9J)i#8qZYs0OJ8I%DT&5e`fG>O27!=T4%ro|$)RYPwa z1ZSQD!(-{hy6Q#)vGkVje2I&4JG>{#cEWE(8vO^Kj?)6F{7zfP;X` zeKSl4z|w##Lz6Z_0FWjc!)DEd36cYLu)=MH4_LfW2uHmPFoYO5KX@DCLu{~? z9YX#qpRtlDV-4&hPK z%aBnj^9b=%-P#{*A)|D28WQXo>EN*j$z7)y5{RCopP>q{TMa3!7&g^xyp&`NDQ#iP zTyEHaB$bgq@vbz&`aFghkF+y_JsoAvD73f>g})K0pak|GmCmZnarlcPgJUTeXzB4t z&$t%)vr*!%%W6@qG7jhN!9CN3)H{m*9{(YSuuhj>E|kc?Y%R@IzLaKq^*A?fe_b#$ zAfkZpSLY*%3<|xq3M+Mh_P#i2RtP8~I~dmIJBELeZGK>0ATRE(_|fZ2&&M223H@U9 zv7C~@s$qS`e^$F5ZUaOY?Y@hebZ(7jE};oMcj zc#5Y7k6?%B;bHxRqrpTUG!?~Z@?wY=sZa!^D)A7=Zu(e1WEJUye9C@NTc!79Ph(-- zQ~UwE@6FN>6+oO1Bx@{Zz4@4CKsw(aiMd{dU>j-Ixu!qV!E@EzOGR#mnEt)Q`Yt>(BJQJA$Zoo#-J@_;c}kz_v)&kiimR z>jyIH`XuE&64f*7R?n6@7$5L1Oish@4jj~L>*n`B1<^}OVbDtO=mC29pmO*B`6_?iR#EKw3BYW_s5bwghINsgp9#-Du z9L_tSzkn$Lbm~l2*Z-=yxA~a(!lqwv9O@J(dGUL#>(v3V*wU9Y7nNqUPmh(^G&8t| zzo>tFR`vXQ^YIMVfYepf`N?A3n%F@3m+nyaPx9i%xxjDHTJ-^(`~Dxm8D_2HkC^Go z+=`|iCDpa=j^u7Nu(_0t@A6at69sdr4@E753|!(>`I@U&me-5Ql9J5>o~Vzfjt$li zMQ|=m25^XWzqYxe&!o^p#<7nv0tt%kjXG&nkml=OX3)=7?_cpWp|tx z8;KI#&Sw!fE8ZSJ4ffnR@1m_mxO54iai?uWk^*vx2j?Sr4Dyfk3pDHKziIF$mGB6v zFqOXP-T-#f9A^0_YQG51Seq+j&JfYBQlij%mZg#g=n_RJdJ%e+a9BG}tG@kwjzTku zq?2CJu9fyg2V|IQev%Wvh=82UD|K^1!-z~;d|1YqUEFhXB7SXGSvzqn#fk?_N)WKh z=wjM^EBm(gu@HekncSH#{Usau&4#tL53AqwB|HeBDhA)M2 zY|4M3OUqdMaH9+?tmzz)Kl$32r1RijjE_!1RF>&e72gUqhs=al59E}L_8}l9R=w|! zrPP6SE=Wf}1I~!rd^{#wbtpVRy5c?nu|(;tq#Q!bTe2!rDSy^e;m7@t^k8uw%I%!} zU6pCt;VJDr-wrp%J%^iCgpdp1jC2__@!>_tzbw#*hVCgE1$j)ov62Vu9>OuiEfLui73ZM=jk4chPaZ79KX|19;0Boau9SEY%aw zQi0oU!76z8veL5#`E}S8vA(%JAIg1J=T|)zk`+fQ2kvi|wIf^SJHk=ao4-}S89`Z3 zt2%Y!Bh1MMyi68eJ@}8O(t~6HmfwQUY>4zpt}AI<8A|^TVuC@?2%D;gzxmKZPF_YW zn|Q457c?+nebzU(VO0?&OXDZ}TPz)bsFrRFo!A)Sjf3xf=3O=7XFs5wRjlGvL=WJ+ zvTeiwSRCF;+d@W#XQ4k^UKWv9_3(Nj>YCk;H)~;j(^xBbKVFIvIUm#}#V&J|DY%#P zZ}dcDaYr4jWCq@W!Yw<(Y%L`d)fZ9;zl*jT_g8HDGp~v5Xx_^l5(*Ee~ zfv~ALQL1jxN6QZ-8bC-ayQcs89#p`#{&>evAJ34VE|MSx(hfleCITGAxVX5LYmE7T zdA%%V%mSjj#g32T~gB-nN+ zPgzdk$5{HCDkT{{L8=p6?NAcFWS(cy5q8_Ta^lRlAHc!f^$@_`ACkfHVeRE}?KLaJ zez8jl~ZckA~uk+;a`wv9hzTUZn0?5ql6ha_&hK^)O49wqGz zNep%0o@oYV?Jjf)HR>XEh;s;Ak|fA9XUW#>08i-`$7%#bw^@d0LyMfManvd=Hu+j< zSZ#c8XOhJXLM4 zRqiz1Q1k!4C>Du0KZl{m=7cu)6pv51E2-X2&1R(6S*(`SqO$g~FZUo?%e%n8sd5~; zpdf&)feeYRoar1-K#Dl#KQbZ;w($=i0lulF=WYqwfpBB`Gr=i&j2?3s9&OLgz7sO5 z{^~j_Ir;UqT`AGoZSy^X|0|azbu*$IhLRTt!!p&ow|~^TE#mGo+CYuwLL}vIX6Nwy zcznSbEzBbWUQcyT=~b&0fK#i$KL~|=5^-C|vhd#T7si7`L1Egt3g6p9iEO7E+`sa! zlKU4i)Wh0^H#^2F*@1JDy@*C1TZQ~T$7UYE$z{Q4@< z|IOl4(~@~pmp~L^cIksEZ=qvEbP*eR^M=jJAH0Og_Z~e@a9N%ENXT_!bcBw{V41sl zusw;Sbq8WA!W_aMfJsm#WAl5kPn55U@svSS+gICteWWld*miH}`>U-#Ux$bv`31Xj z7SFwYhK50E01(pk9ecrZYXCb%0)1ebJYPgE`dS~?d|l+PUTon}&U)i^OCyJV-+ApT z|01DxAU|G5w19@UuLY#(ULAHX`^oFSw|{9_(kyWDPEK-<^l;x@4=3>UsCZ=lBDap( znGR9VKkod?FqGqXI{*n8wafJP(AG_t@U5+8CZ2usg-|kC5WsKz8amSRiz{e&79tY- za`2t=QYgWxb$9gFlo%wxrd@LJEm;YW_KVvH&R@Dtp^_6mRANiGWc6>Qfi)iuh(F@c zFKt+dcgiTHYna=X`y4vl6LK=_Av#l0*&%C(>!s(_dM}e}n&+YDG@+cci-j6vj1G*^ z#rVN<6$=Er-I4T5;m#Edgq7va954&Ki`)_@_fodm3!+ms`K+THLUzn|eKq4|X(CfJ z!Y&EQAK6%wdO+N!4F?N9Km6j)f0kR8hs|Kwk>GY6SWt3aYdH$?Kgd?zcvewhYeJ3=iJMD2PM4D#rSbyK z4(!+7D2p!bl#BYkgTdRKRTfeoe@I_GMgd-XbaHoyuSQNg&n>)4fit=tuUn7-6JHtU zerLR?lNfUNZ??0D*q7Q4pLOQ(ix@ympfFEBc|)w06AjEBAYXI{<8%H$kz}Rr+VKp- zrcUqoJFx1a0a-pOn}5i!QKK?609l+cR^|Lv9h)Mkg;bA5$cdVQ`;pzRk$Tm-u>ZGa zkG2^Vr81_g%hIucL`0cG#hqO5c*%6-&Uqh_tsK$KUdwn2@bHTTuBgOVUFSA%~&&m{v;UhmJ|7tV{@ zfmgo6&dpjjhr*)KlCIciM!L&5M_Ur$x?gvnxPi;)i$+OaroMSym8cToE2tUo#qtGkNwt@ie zj1yfZxD)a&70=hL8gU`+c-a0cyZ&IqDN$0`HZJC6W9-0^w(hdD^ky)S4E;f8@EGg* zIVyagFNEZ<)Y=io7ZH%563MRi(g*NYBF`pq02d{ng|15b+$#I{FM$8_ChVnwpOLbf4zF?9#_PkC>uzw`EKge6OT=5yJ8W?9_zO~(mg%5 z>ak>t4R~{4eQPSCE*@WEw;2huyW}R3&o_(f*9#`${l;J!!9CIVL1B5+H|(6ISmiFQ zGWox@1+mnR*nkt5VxH?_0`jN|kHTzM;vSs4b+2AFt_0!b60Q94=ABNM!hgQVkFrVT zF=oCU7U#q(*Bp@2h8kEQ!xfP<^RE$zcD%f|Y~2|9J*u~9bA-&g8(om{#cmRLmjjm= z;}tw0o+Q;tsgOB4wTqu;&LLXaXf$nrCy@PV8JjG06V~r@7q+9CCbN9GGTr~2iIb`Q z0sNC2!EqD5K=luQfW9*<48A+r0DE3-UD{m<$h}DRTq4el!nL}CX;1BQVa>I=RftCm zbr*@7_rVKsTz9`TQSc%7A)nap>Z4=;Gz~Wl;xIh08-QAbDcCt?%xag*J@LF+9^^Pm zty})%-8Ox(lZ&5`IaIM-hqsT>N)_)t`QYTe#W6aNd-s+qTuT@9_-(B*>h+nxqP#|C zZT{iR<qn>#IJbTy5~hf7i*WXD~6p+e7%W11*1wTNsV#Vh%RGmm5Ar zj{sN4^c#}TzvcOb+$ZDh8qmipL!E6y!G<0o`9<-7;NC*1>b$El^wtGe3UA4-E0WhI zC*L!Cd7Kl))2TPa*QT=cYM`{~{1wG(Dg5sp;kjM{-Hpcww=MIDy~t9N(^W#0SAep| z>iuh~*M0CS?Y)jA1|goyaHlhlkE1KKin}g;O==moi&5z@oyJEf32*eg00xq7P3$w! z4YQMEHi5+9snHEBnM#&*+iO1S_WdO*K8F($v5Xp^f z+pVn*KfO45{@s-I&F{f{VwzmTjq})2*H%y)2`S^3awp$kWSxX*duTv_!akG&EdIv2 zo;upWXft|nvb(wvMYPj;{Crer*8_P>V*Yifzj2{?@Ay`$ldjAt$*i|pR2CW#${WJy zinSKs4Yu=ox|ri2RP&RsRoC-EjE~D=7yR~l@IqK0?}mAs;=UVglVg2T$(Y;}@$-j< z41c*XaIl05-=gF=;Dq$Od0V^L^JKZ;wu+6zyicRQTJ5|k7H9lNV_AQpq^>Bwx>->$ zOBVN2FwLQP1`k|kBvMS*s>&+qu)`zLZ2M+^NPnM#a;DJ z+`+CA4@kh?eZ4>^e?vKK=VQ}tKY<4RS$=)&x{vD#&woZQh#l#rgUM3` z#h@h&Gf&3)SFexP#ma&PmLhGw zlz;I{-Q$XY`OptyCRx7MNS5Z95Cpsc4)|JHICrerO$W?LO<@csv&uhSjn}lk6o38Y zPs^9Xt*!h)LmtC~TD`!reKbHWo)F6AN(P!?|A>iXEc+m|xHs+-8YqpuW$K;%n5_`=flBX=2O*cgQryN2~B%0>8!zg>~jpUWv!I+dHRQOxuOc! zq5_GE@^4s1Zso>tE%`+kNnOx(g;3e(OO%*Wbv<(T8O{CP6UYbNul%Sva(c7}RE-*s zBmUH>U|%&E-m$Nf@M!8){|I6G!}4&eyIYEQJdW(1V1vL%K|guBqu;Z|PrxT$XYtIZ z3*TlUq`7XC2-L^QZM;7a(MieoAUlMv{-9r2n_H*A{df60z2jD@u3#d?^w#lJf@_Ps z8(pGg>_xdg=?vbd5@JZsj%ep;S$ibE)nJUx2k%nsciRl`*2RAG-Tto2V&Ikk;=ZbD z(}TUARWYfBi08tA^5UB`sNv@kbIFxbSD(MIk1=6R-e}Zhj5b?R2`R>d=6x5o=_MZ& z=@E>t=H3QgWp@o1&6qi%oHZ?Oe`&oyK{i*?6R=(qH9J^wMl+B!UA=bR_YOVT zA(C%Wjf%v#3B5Ktwt})xCN9oj$FpZTaG&Ip%)B(oKVVqALNVxm-|wc$&-52+znW`v zI5nqqZARPaXD^lan75eT_&Hl{&*V{#{**e8?ETOf2IcA;kjJi+zE;6XYPu=F$ufd4 z(TuVu4&&&G2AJ54Z9b0=I#!s^-WFx=6b_Jm{ikXLdcGp%9{Z^R6m(6GyMWK@zdz$! zFOaU4j^m|Y#==P$=zl7D-@AJrlG%{ZRVLyzqF5~KIzwx~>OKRsNAOOSQv(&Dr&>vh zL)M+l8RF+Wa1yi%>QLM%IqNDS*-Sfg6T8i~*QqLjVq((plaY0OZ53lzwxh;IPPQX^ zO>YA=nF+s}+Z_nhth(czx8bEdri>+|lQr4op*()W8=GjxBMk`Id8Kpttg> zc%PG&pUCp#FO^jY1=X9SwH$Y*H%|9>YnAG~98HS__Cw#jN-LvsN^|WRw#X$yI<=g| zyh_&#F|7&rb26TFlHk&CqC;XGjcV4|BOEi%!UdfieAD8Pd9~%a{yaw2t5%uN)b4v{ z)X@7A+JWnxnL^o_{Q6@0tK=x9`*?fhG1$J}G7%s2}U^ zNnImT?d5!EDra7Kw{v+M>U>h7X^qa+vaWtk!VNI&1~-N&D*ks=ZK)+DmHG5|RIXqQ zkvJub3BI0ER=Nw~%z?zaK4Kk0?S8mm&sSO=BP5g^Qxg;AYGPciGi#x9(R1JVy@e{O z3c(@AFl8p7B~?v)oKLj|0aEe^0YRli_p1*!~?Mqbi|>mGWKO!A5|WjhsjZm zh4^;IS#a_)KK!AWWCW3Sd1UPr-g>ts+0<|Vy!r_3q-@)GKPR>w@3oxPa?gM^diYwQ z+)cU93?=GY3^ONu4{ub8Hx{Q^3lVjnH+G_q%A#3h0W%U3`gRO54zuPB?AJ!w!#r?bP?8$_3*X6a^ zKKvFQ$ACypX-tNGmej!==v&4zyW`;2?%SAxzP`Tp^Hj_hd|~w#3s!|x8on6ap)@EZ zpSI50<}3se$0j_20J#b=;mexG5#_yYjCZ7~H6hvI5rMU=G-kJ1!GGQ(2%x;;zETqw2)IN1>z#}JtYdwXSSo!wNCw?EjKJA|LNHPCpRPx+X z8-}_^NI$v>ccUHQ622HZZn?xr9BL|UliL+@!IK)gg*+u?RPH8Tqj$!9+PX!7>oEep z1y~uC+Xjsj%vHafC6aR@+;yt%EYh!rNX)~0!$B$}l4IX(wrbD@=UUO#F0&c%U-GbV7IMsBGQoJ@~P=+5#^mCYwd{f!{ zFD6q$<+GM{?%a`zeH3nC>(s-kj zsabm2+n@0%fN&P={b|U=-$}YXWx>9zU~?r|ADs=y19LNJ3A+{=_(ijcU0V^(Mu8k# zAOxObypH0h>Nm{JPrfK&|9M>K!vOKb>uj5=btd~ls_%}PsK%0iOm+jXuD8a?#Rg^| z@4dqA;H$a5gkKpkeu&y;wG2T&@57p2sQ_#4#@$`CEtrIejy#;X6C2gS>w9#&q~r4z zY5j2v{`kE|ja6;>7dKvT^rXIxY9_I~;_|3*4?D_SsL-|kLi@|X&#HLW4#fz+WB=5q zqGY~nXQufE2rlXDRJZ!7R?dzO5w76zxX7JlRMEQB-)4nXbfus1=n4GXicrwbte8;_69{+fnA#(&+1}gOE6$4JjAH{YO$4 zkB+A0*U^hjXPIXU;RWLfU+sH8`FwT0AF;FZp`$V{|M`){WpJgJp1IU@Bx|Nr#$Q)( zGTpGL)$^pdeZ8f-z@Ta)I*BXhCc8M}S6VrT`Z8NRs|A~;6+8O-@$V5ZDDuepTpaeY zlkT!-Cbbp$psvqhPZ~8*@po}^bx_;~IUsq5-l6*}gyf7IPhpz=I(%}7b6<7@Zil70 z87LWsE|0;PNi#Z4QtX=0XgY?|&bX?-kJzrI6$cxaqM)+_67t-h%dL(D|MBUI7@S6o(K&jsM20Sp>yc~A&dnQ0^&u$sMaN#}I)|>f22l6YOYo;Jz=Nf`GF;D2T#t_*EE3@#Jaay=S_g>wmQbYjoMC&TrR1LBHpVpjhAv{;228=k`KSO(5-3D zsKbIxpJOy6o>{xb`ASwL3r@vf_@jPuJ@pDu{PuDKd~F2W$%f8cC#Z;LUO86mF6hvn zF^IMJ>f3zsc3k?g9!RmKe06voc2?2{H6|9$hTwVd-IO}K{|>38q> z%gL|vHJg}d9hqtw*HW(ZkZUS&J+}ssYf^U&t&dWGRc&aKI8^)zOwjOirf6LmVe(}#N)R9}lwM z1TI49>rOtSDTyKyT(=0K6I%osFbFu9rV9*CvQOOJ=Vs#=ZxAv^SUB5_I!Tf8b3_$I zRcg&;mBw@(g*!VccJ)qFSmO!EPv$_PKCOStI0~VzmN*l6v#K?$2HJe#{dpFsQBPTL ziw=i2^vYE_3u^k4Kob8Ni$Sr**0ElWP+wghx0=&Roy6E693>EvEi2~UBctW}bs+N$<7(7k@YG|mv)D)3 zj*3c?#nhUH>M1^kX?PMN?#uY@U=N>pdH?BJ=W5A5Ej)rFz0XYMe5)K$P2mOj(zyw3^@&u2f_7pffie_SBN{D5@gV6v@oZhiXBWSrh&99vy7w#--tO z+hy8LJhPaZ2@rq9!twK^=lTK1-2UT@i>pCHu%63rZW}j&kRuc|W+3@@f3l8MGUt-=s?B^t2F98Gp zgmQLWS(I^Q)6FPI8iO3kaM`d`i}PgDEqYHGcj!(F(U@Y8nUB8 zuh1Mq+PPfE~R~Y1oTaBgNy6nh%T<+9U1c#23pysi*!J?c5 zS4%m`Y_zAW!vkxhXD z0UDqOUQEG=z#}i!sct?@x2W<`0xHvVI+QTYx-FoUbsnw^&?e)Wuja(ui&1bH1 z^|)Fj8GmUNGtWHaW7$z4o6-j)l0byDE8o>Zq7m2p()57+llWpx73ddW@!r>;{ba_3 z+;~Muj78*`#I78Ri1e9jOKS7$jxa_446$VAK)xo@!_bph|3v4&>I}fCql;EE`$vLI zDY9g?$NMeF@fmBNZS3O4s~v6&j8L5ZCU>$g0CY8UeUkhLDmCMjz-gCM8KULTNg||y6!maa*ET3V?VKM@d`<=>l(T* z$6JRo1EGKTg&OcT{RA3Qc5ywMzeUp}n@W{8z0w;QFP@w{f^4KSUoR^fm*pOnXZ+T^ z6*+!C@l}H4!OKqK0cXB&&4V0~8{yRpaGMUC(5FJvY1kuf-?mxIxgepZN-rKlxGL^4 zmSQp3j*=ri0JZ=Lt_j8FdAN}j@7J2&H9Gx^(A1j`{ib$t6EPhgyFF$(ODj;2#U5UG z#v(qPx4=^*{3%m{>!JOt5t2(TTTX^+*V99jy_2rjgj|Vvd3>}pWVxLEY_Kk@QMflL z@g~gS^rt=%bCoIxT1gK$?P?`K`GkDkKSy@t_$yJDxqd^cf7!c%dZl!4OBJ;4qEfnE zEUh&&T3&B#z{6vO$#^;PI=EPV;s9E6Jo*#iMDP7`b}dd4x;b0XIeXbA7w>=0e%4KM z>Hj+iDEp%?O4#Agxx7d~v2rsKhoEsL|)oo4=*HH}et+d1D?`w<}haaCQf6_m6 zx_5bM(MK61)*n9I=BxHEv^?Bn^@OzB)a=WBc5MMowgkGX3XAgoIWn=K*=}FZ%ohve zAIH5eHkj^gw{T$w<>g3h2ug|v?AeHw8P4!vl895s0IgOYj-kl)x7XZ{&cEno#BH|C zri#&&Jlw!u%J-0QFe4Z~cA(loo~Kq*Ri{o~$NVLj{wvd~Cq~tVHf`;{o)>L$>oy{J zfR^OOmciLdP)U>3Gd_GLfAIa`f{d-My9j-{o0{NR{QK;yBRWmb*~Rg}eK9Z?Q9d}Z zRk<8L?Y)1oIrP-yCfv$Xa{Hla2irT_5s`cx8+eDYG^J8zt}7Y*YmV<-Ra-r${YkXtvy=s-oSJ1 z&VX~TxQ-2iVlCg(WnGu*;)A&}r9AZv@ZPvNPf=C5{0-MEFLZU6d0e3D!UW+B%ZthV zq$P%5G|G(ML>B;DpyL|y5mYrV{U@MTO(@rsbVnJ#X1quVHP_Kg>0~9ESqR)!phI4k zB~dbASel3Oy5_#vngQZvIz7g@sNvTaYTdI;>f0bk%9}D7NWcfQv43DsMjHEJfJn@j z=+<`ZQ{(N+Mqy*G?3^hh_dwU$3DLkC0p7*5@9Ov6R_w{8Pc9jQ&2r`=>k^5RSef6B z>#d&5k<0!Yn%YZ8RKANY6m4~f4eF{}(Gi;+B#kvgDa2Z`wBG5xBvKx(Q9MyH*Y=tv z`*&o$%=BZ`r{+TDsAjuKGH;-*;kBumFH#WQ8ryVvwy`&6?E1aMABFCJ+uI+IGN$5c zzUW~fql#(C9?JfGN)ObV-nWqJv1?`|3`nBXX1o@Ofd;PvCq%7!hSx%5o9)I}Nu}+N zBonHG!ix^76YSYJW`M6rw6P&H!<&bSCFvb zN^12iSLq*cvYC&)ebQjA;*SRRjU}3<hIbKA8Yn!w z-DOdsC%K=MSX$vU#mzvwD~{6+`xWG;kDC(Ewp6H7U^5EWOC;CHUX{Hak-uuwT6Da_ zJnj8@KOv&G1y%Z*rtFh&WeAXDc&`XeD30>f+0rbHSZJ_-op{(^%l%QqkFUdK` zZLo$}WrL0G2L_;@g*C9VrH`66n-dj@RJtl=5jX;%)XkpvOfP^|)7P#$YDt%#CqMYo zYpxCr$i%haNMYBtVhP7&;5Gs6+umu2X@|awW8E}IrF(BQR{9*SnjjM=FCSt(E6g%6IUJk5=7_~ihg=hfyAR*8OOQ-?~N z7HFh%dd~XS6`MBd(|a$GO;+0v&sBQw|24@hXx}$p)j@^x?GUuIDS~u7Vp5AYOAc)tO?2iWnHQI=^J7u1$d9GuJH!%VW1h#;?!S8++B_(mRI5uB~VSGq) z7Qb?-qbb4qkzJF%UHb|sU_E@jcszUc;dqweJs!OXYt>3dQd&Vqd>UKk2W8=_!C|YO zY+>WTz5`=io81qywmrXwUoG`YKR5hc4rENUPmQ&4EUmimYh7C}JiMtgQ_GZs%XXeb zV^!Fu8<9<%5ESr1b1XXsJk?$_zo$MMJ|btofMEVOlkS~pLAy?6!n*W&8SgSxlUd|h zjN?axnXj)`Z2CV5%AGtQiUs;mrN>G`BksSa>HhqYEce%s9Wu$NmOs=RX3l0}dri^z z{WZEZMfhI3N^zC7cqrhW2rYb(d-b;j?8$B4$JrH26+ZG*7dg}H+Z)+pDd*m5ia9H1 z8A@HHVvk=;1>SQ|#Z>jgmVW0GP%mm)w&rksoyt-cbypbZ?tdp|a_L+*J=UpNufCev za^WFOIqPi{X8PK!l#XD2_@ocZD=(VJg}Ggk+q#FO_gDH_!6K88OX?GfW-4>1pT8MI z_^Y{j6*sI+Yvr{^t>i1&Dk)9txIc+`x(q7^tfYI^7Mq94c3OmvHhJ$qbZgASzkO@r zv{bJsTsBfXAzvLvvir0fn2CZ>umbk7j=WP6DBG~PU}}0xd?TH7A)?Huse*kl+{Gk|iy?aObbhtp%b)kU7*Sn}}4Nw-1AFDLK1pNc634{C2 z@GWZ=X5LikndS6J8#bu_(ygKXP#jqd8IOdZj<;P!zwYYHHn4PBg@UXO)!f1S;^awe z-jVRf{vbU(>;XhzbM|aW{V7s7{$e{){35znY&(K>d#40z`UqiMonCh*v&3iX>x!uG z-C?VaZk>=S3H>}>XPO*`^=gbKfs$ zPPI=n^do0bp7Y;%$TlVpJi8o*>2aYX>tb_`I)5GA2bBUF520|N)v{LEYp$f#T{)r) zNH5k?*X1qBn$CPVUkpJxS^0|-<)vvqC0LZl`AyU)M=I}Ew@eWd5L~>S&??0)KuvYu zO+4h&XEZruF?X&WY_{=6uX+>v*lz0w4wT*e(ylulLrJo@3VLi8$kYR!lRejXaVyP3U?)*Z^&GCf5_fv7^CxfJ#YunPE zPwp17ZH4*zye`f-P-xy`u3v{{nbhp&9aW<3lZ@=jKTC&lpT6s8jLGVndipmY0!5CI zUyH22th5r6FXK-uN_;-<)6Rxf0;xWj!1-lUSQL~WX}nRSX((ryojx}DkQS9KahRB+ zq78j!r*0!)TH8+;c(Q-yMb#JG#|h?JROWtzo$A2Tpx0~Xe+vtE&FYc6ruokJan(6}dto?QPh>)s z>*E?qm{RtV@9{x9X?zs$6~ugkau;nfR&Lr7>AXSSTL>Om21-b>o?`cez(2-gp@ z-piRHZaI-@rOjh2X?!Qb(a8Vw0=O@*fI!G@Z1B%lahJn+D`HbziiT+~a*@@4Nb%)A>`)^I?;%e@9N1xxl9 z;m#*T1gKh*{U7B=3#5Ev$|-pu;S);Mo$kHA#>!*zfBB-<`!har7Y`k!{n3$R4ZJ+H zBNry75&D_GDC+hB3Vr--RUmI;=UgwgTqx1i!rZ&<74_bsN4j&k-?9vn#PPuL2X}br zVVk0Z4ocs+&(lald-R*&k?WW|CBi=KXHjVbd~HecHQTi6_*4oHM8K*dhp@uuizu0) zkv7h`Z1AmnhL|$xF7k;}HJFM$s*wtjc#b2APuoWtKG|(dU195CJ3N^}NX9dKsH`zv zs-+6|npAEF$JDn)4_DtKu6VrHz@i%CC*Bn6min-yLgTK!{h9N$PC&kai5rAm3f-H& z@@u10nUm88Hx&0F5ZcN)xTCfY)`r#DYwA{eZCJz}--jx6ZYBcuG(Cco@BBr<>wi)c zY-A@fHs~GMyStM4!H0`!3nlaO?g@*;^Im)vwNd2yfcM|dPWc1Gox;1@z{9pbRm{M# zL*W@D;cCQQZb~IU5?j~vkZv%cyQ-=A89Qb!OvPIoWYUi=hp@C|FFgM-mMvJE70mB* zJWD)C!Ct(x({TBaaJxd55MgcpaYjS_%2pGIw;b;3^~BO`OfHMM-G%54gv))w1)?$i zob}bgTy^$Cpa%JQjgi8VR$$WjZNwzkXyi8zcvCFY33;7%BGlOliCGr}1A;O{B<%>Hz$`yOv0Cy^eX zu`%8uU{T2t+@@>~Ju`YEw0GN8LI*a#f<0%4znzrk#~^ArJIh-(3FCp+OMfKImr5HU zTI}{g>5wRz!!k9}*TBPQ2HdaIK)zxW2}eh^Yk4jEzry@-t zbBix*`r%*n3!ca{;L+S@Rhqqs{Srq!vpLi+P<9Df2kD-jNU^UJk>xfGu$5EtKT7S5 zB##lEa-I4^TFD7#Y@(cIs$3x^Yl^|kBoCg>Tka$Qo70kgb*}BTHRxub`dXM3 ziIR36sThon9db*cSH7;x)VW|jPkTIaHLgkOLf58Uy+6m{<{h&pByLmYDz`@Y;G3lunqm}qND3Bc<@zt?^@=-lR-g(J7sY` zeW^?Uv2npks|)~dudVA% z2b!F^F1|F&MukOkZfBp(iX&ZWH?0Yi!mXLEU4sWuJh`Q>%M`8g`37$*DEtWX16zZy1FN4P;G z(cBGl@wmPyEjyXxVLrVIVP-2^IKl9N2n3v_tKDIlvm@mr!GTkjl-co!@$<>w6TlJZ+_- zJ$nDi4M{D2-owfl-88P%3KhZm5#ND;^~S&gp(>v#LO97Ygb$)8I&w{wXxT@{d7+Wl z2*|-gu^<(X(a4*bt=ZPV@?RMea)E*{XLzlGT2dP6>#{-}4bh$W-WXx%`Nh-tv;t_; zaljHrKy-w;byzSV5R7vAo3CYe#2D~$FdS5F0S}T6nc$ngCEpZxn9hgfC`?f$+z^nH zuV0N!tE{E9D?_R#@eRS{7BT?Am#Dwddu`1xxgx&brMk9K<<&VVnhP(DXs_=5pVF>7 zp6c)a7qarnDA}8Ygob2fuVlr&Wsl5U<09EIu91+;tXq=J&A7<8q+3EZ*SH}o8CMdr z{m#Aj^Zkv#e}BFo=bm$3XTQet^}O~=vW{YRW`Y?lvq`G@m~B+)-pvGC$u! z=BI%$>a8YZR#KyU*(p94=Bap)o6P(TbkPysdx1w%UD=MeYd9>oWpJ+xvE1~-jnAbh zpb?rFzoHHQzzH{>MoU=~O@eoO__pb!|6Briuj;2m@n<@^(uDqJJh9?R#wi9W&y(mc z=d3p-owfcGu4LdMa88mWd@;bx``&?`)<|Kc0yD%V(nsp@(oI)Q*4gU%t~OCw z#>HFbg=4wL?qN)Vx@cxFd5h*@KPr+d`juIYWR+JL9p9b0Y>fPP%lHf*n%jMtad@Pl zxnw_f{Bz-MZg~sw-F}FTWd`%`tMzz_t}v}QKJyZs{JiK1m2Of&@6y4sab@;u2)Yee zdnfFV5uaZgtyjLAn$qy-xiyIoE&(jM#qKNhKgN%2J6?!ygRUxN9=0yWpcz}y)^}|t zFexNsVhQ`#VA32Lkou8fdb(%n&2+a&x>_d9W zzlM7Yp*+O8wDktb6FEVR-Co+UcwQz8Lg=fhoGZ z-#*%eLwPpekmRUoudOs3;XP}Xm*FUo}(<-F&GOZuRBXT0U2oG=nh#U15 zVQqruKauRIk1)WS-yLdhxZe*Y{4_tj!vew43`3>|49hUX9us7%aOJV+76#;{U3e`M zdaxtV^Sf^_Sx9>x5GtGv7J2>kbm#(&&D@czCJg8)+tzoBa;RjY9^aX1v1ypBKYAT4 z9l_WD4`(z}S3#guXf=sU59?MP`%n?79a&o!?LMidHHSj_oJf(&X36$_+7|UGFU4zX z^2I$0yC&-J-~YiD&x%$Q-{l?g6UcC}G*7(s;X_VI_0PrHL!f$I%l!)P<2+pd$QY3n zjM*I2Bl>giO06?v+83n}eTf2oNkn5ssPqX(>`BqU%=Q$k&NiG0h03Hff?!;^g}%I} zWu4{F33bPZUYDwk@e^klV8pWQjYKu5u_W!I`s(zS_1yicw^`JQ2_8!BlSB@QxNMMv z8(IZOP%vWM>5?gBC`@BXBI^am$>_dy9vK%k7|sSerMH}#;3cNETGE zb_w>T4*mXS1ddFl(`3CBeW-k#@g>aWMf1V5Ud&NVgpY)!JToNFW8CL_sQUW%X49(I zmi9MKZ1wlzJ_eK>IBC92jAMlq(@dioE6&zOTj33J2o25s$^?@DiOZLJ)R9@kiEAD3 z^z^q@KyPq&Dm6b82i~E)6ud`M#gaq4Xy|zTjDmfC>IjM(906C&w5O+n+9{l$$BW43 z9LT{xMk!h_;`vXCXp5Y#HSsp$f?jmB9^~{xBjxb$fOo8WF}Ikr3mY0ze_pb)P|yu2 z=`kQD>71P&!X18(WXx)CK04U-ULF>sYn?Om<9)cmXRmrEwg;!a+EQR}b7|c!S!Ry2 z##pXb#sU$)k2y?cW4e>#;SuVkbPl44DWcD7f86xF8Evoq9-H@u^L2}6%pWNJQyjNM zX}@(}2)^E%eR(1nU%zp&%Z^g4Qn}}z!US?V+U+m7%?a<-aoe*)F>%K;DGFrm`f zsp(CS4XL{`s1($G&z-A^zp#9&141%iy#~cpm*PC)R1I(Eyqk$DcdWCLn0a&PqEHT* zzt8n$v@wfsJ0Y}|;ZaId;tw|~5t)_9^zmEeA*pVbE=95fo+uJ5bCc81a=(5muuRwG zJF)-(Z>}vs65?kMH1EtPqheb!hQ&l@n&P*Co5W9`9OO6HD;GAqWqc_f5X`Xg?{9|X zm$H2wt0SWF3S{%egNJsWaa^6>=$1n9zy&T~opgIvdVZ76GURa)zeNBUucv5F@7}yK z8?V1uru3Mw9YuH6VWu4s@mHb3x}`Dov{M0yW1umj?n0#FcrMh)?AY$fJM%ihz#yg2 zk$P9XxtA9e8-T6ceR1SX1$Z5`OcB#qJ^9W>0Q~|67;|~|p5+Lj$&=d4JQvgRcki=Z zF731YQcjIUqU}+wLMSQ9dnl$NO_|Waw)w%+%6TR}Lw|=BiJzoXS#1%PGH9n-Zr{cFWk<$7E^9BVLXZ&2!PU++i$x>M0Z5N62eYS>^4_ zZR2IT8B#bij%u~yeJ*&S<_!=|&R(r~VYZnYqmQ*c?ySLs z$xcmAIXb8rIGtBQ?|HlgW7Qb>vZ7%fAQIS1+q#k6YD9%BFncGx=Oh%Wnz^m&i$>OZ zC>9f^0sdUu0_b81#YC^;1H)BdRmYDKsuZbZOBk_F?q9N7lC}Sy=eJL>(ZW>Isbu-jL3p(_wq;2w<$2~gXkK2KU&5&9u!z8Uu51tDI+z;_-Y6BF zJTmzZiGOlKpJf*W=p+7V(*whK3CS2Jult<`gOkM8LhFTfS&?MR7s4$N2cRI3*y>ROJN zyV|Ec+&>>ah#w2m1qR;^ZL;=_SlGC@_wmEzl}gWV%O(PjqxY=7zrFcKgLit^r6!=} z%QFj&&-zROKkbq$46m&g1Xwhpb8CBEmRcu1IhX+9CU=byLjClusD@^b_=OwggrKKQ zJ#k}7cOOy&m8)v)h?q%GP(;F4hWWv> z_BB`p7-bO^PBKnR)lu6Ptayhy@4qW96NB;#AfQLh{eac}>&pufz4=6iwdX+BY;v50 zA|5(_Yk<#IwTX_w($)iby7kF>HPxi6p|E&)f%XgP-$Q5Q{cj2CatHlkx#u~vT6 zPw&$l#~l)d#JY|Yt~rwYmZzIP`fLF=mt<2_pRHYV3EqJab<4MDdW}O2dwyaK7gk%w zDEjs+MBIDbmE#hVqS?kNOg^BKl2ZdJYF+*^<6(k(JBRxxqY({O`#-{$5yiKt(hW?P z7NIKUx9#~k=ADyaVP<2fe0}oJqh~r^;6qLvE)^luS1Owfv=X^*?nKObgxpmSxaZr% zh_tPN&@01|z&S`M%HclHE_hbIHMkcQR-l!@t8Mf{a=rJqqcMhsQm=qQ_Ld#$P^?Xp`S2)Vle+I#}3TJ8h=Y@{?xvB*H!inGJTtijau{}@4TknYil4{1G>Ck)@B1&!Qown$oF zCqwOB*@hj+|ZuX3~|89Qd?Vnr91=S3` zIear=7;9u>F=e=wPsNwaszu^WJ7vU4^Qx0l_epH(ojU{k<4;UeHEJtyCk0+tu>7;3 zdSxaotN0DJXv_E>9dHbvoE@y2VB4tuI$_LLiXo#qzX!~JNxty<Q z0loHn2(S_vcX}pYn4vtQb|*cO*$3r1x>7{td8Z@5WMl!TmOhKQ1a^9_lX7aily0^s z5(iK1%MYard&6$kNiNQ>}&zD#`-xOJvynV{Lq-`f@>ho^raO!2auY86Lh>mbpms z=TcHqvK&2Y=;bp7Essltw>fXH|^_AE~SFyUUR5LZ5X zdBPL(NbB>Yob<(V=}(p-6dx~*48C=~%gpXY8E~J%n7JUICMr@y3=!q9a8~S15nU zpLg!d%ixj9NnX0j)lOdn6~EurK+TxYe5Tu`I(V03ccXjrcqiiOCXN?3b4S+yL;3>? z#F?%a8mw~KH+A8kKod&F$xz5+nr+U z;=iIQZ(iy4Nl93^r-RdheL_7nv&f;SE{)%~o;7>|Q`$^UJZ-z;>erDs4VmnHh;z67 z-n@zrgYx=&sr=|smbjsROM(b4$b>uVp})!f&bfnxYo(*)B>LQyC8k40IrwIFYHEhy z9d9H%>hxzqo2nc3a2WR_cZ>6*vgI~!iP1d3t)((+WjJ%AzVx;!&J#PlrUY%_{o+j1 z3(!W+4wID5j#CF$ueffgh|$3gqFNo6eVNAE_`^f+LgAm1HFN~)5+@TsDpo3rG42w& zX1nJ0D(>cyR_SyTCCwRzfHR$Wix7P8%I-V9&>fRJ|Bc6HwL7U_GXu;E4USthy2V~z zUwl?>xs|;-86=KUk2{njqDs-MkhWa_j<0qZ$RB%|SDJkOK=V?p7|M4Ri>zLVn|2uB z`G+F=3Zeck^O$>$VRuMbXiCWbP|Ga=sc&P3f#k4KU|$d_ZV^EQ&2T9A!5nYWV}z)& zFCGtuY1~Hla#3wBMgz>>u(_$&gn!ZyKyyINW+Q%C|H{96N8T#qX~X8IR4(<0y|-jg z_PLWxRGqKYW2mRCwg9bS_wq=YUQ1g?uEOIpdzMj|;`YzRoDWGTEGCE?x7Ws;&p#k! zk_He{C8>RP$DNyior35SuG~ZRA9B7XPSMgR-1eKst7%dtX2@Y^n{=q4krr8a4w-yI zKwjZM&f9lXhOUN#+zl#nVMO*iZ{eVTbrPT;14!|wz%R!w@qz9^ASrL;*t!vERlIIpIoTPc%o6CiU{rm!!MyMd`6tbUNGYz z-?_KS`84P;hiRRdv14F2zyJhi1*;9nA;e|ZeKUysxI~@HL=?tx8k8-O>uqM%5SdbY zNx(9m#dViN(B@Nqa`HZhSEDY~GFg@qq0i5V88_QxS%S*VBEi=)a(^5M-5MZvDmQ7q z#dlSPlmv~O$?Kb2}Mo{+(O%O zWB?nfG_h<+*AxUl?(l*q>I3H)xB#^xwLgQeH^ar4SNc-Agy-@82amiDsxBw7DN(1Y z2QCP*0kGC51p7LXA(_9zMY9)pL@OG+8MT0i%`fDEirv;7whkyrRdzU%eZrfC^ Q0U1u{Y8q%%s@X>T7fX${4gdfE literal 0 HcmV?d00001 diff --git a/readme_source.md b/readme_source.md index 12d5304e..e5a01b45 100644 --- a/readme_source.md +++ b/readme_source.md @@ -36,7 +36,9 @@ Use cases supported: 2. Single certificate stores with private key in the file. 3. Single certificate stores with certificate chain and private key in the file. 4. Single certificate stores with private key in an external file. -5. Single certificate stores with certificate chain in the file and private key in an external file +5. Single certificate stores with certificate chain in the file and private key in an external file + +NOTE: PEM stores may only have one private key (internal or external) associated with the store, as only one certificate/chain/private key combination can be stored in a PEM store supported by RFPEM.
@@ -76,7 +78,11 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: +The Keyfactor Univeral Orchestrator (UO) and RemoteFile Extension can be installed on either Windows or Linux operating systems as well as manage certificates residing on servers of both operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and instead directly access the orchestrator server's file system. + +(images/orchestrator-agent.png) + +Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -456,10 +462,11 @@ For Linux orchestrated servers, "Client Machine" should be the DNS name or IP ad * dns-or-ip is the DNS name or IP address of the server * port is the port WinRM is running under, usually 5985 for http and 5986 for https. -If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. +Example: https://myserver.mydomain.com:5986 -
+If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. +
Store Path (certificate stores only) From 27cf4a7fd8852424c050dfd999c1105dc63d1e3b Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 25 Apr 2024 14:17:47 +0000 Subject: [PATCH 103/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index e5a01b45..bdb05bc8 100644 --- a/readme_source.md +++ b/readme_source.md @@ -80,7 +80,7 @@ Use cases supported: The Keyfactor Univeral Orchestrator (UO) and RemoteFile Extension can be installed on either Windows or Linux operating systems as well as manage certificates residing on servers of both operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and instead directly access the orchestrator server's file system. -(images/orchestrator-agent.png) +!(images/orchestrator-agent.png) Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: From 6c020e44f1043f61e3302fda42484183e7b71bb5 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 25 Apr 2024 14:19:41 +0000 Subject: [PATCH 104/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index bdb05bc8..a863e5b2 100644 --- a/readme_source.md +++ b/readme_source.md @@ -80,7 +80,7 @@ Use cases supported: The Keyfactor Univeral Orchestrator (UO) and RemoteFile Extension can be installed on either Windows or Linux operating systems as well as manage certificates residing on servers of both operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and instead directly access the orchestrator server's file system. -!(images/orchestrator-agent.png) +![](images/orchestrator-agent.png) Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: From 909af3c3782e4b4051a434b1b6c558233bc8583a Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 25 Apr 2024 16:05:45 +0000 Subject: [PATCH 105/108] ab#55565 --- readme_source.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index a863e5b2..03607751 100644 --- a/readme_source.md +++ b/readme_source.md @@ -102,7 +102,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
Certificate stores hosted on Linux servers: -1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". The full list of these commands below: +1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". When RemoteFile is using orchestration, managing local or external certificate stores using SSH or WinRM, the security context is determined by the user id entered in the Keyfactor Command certificate store or discovery job screens. When RemoteFile is running as an agent, managing local stores only, the security context is the user id running the Keyfactor Command Universal Orchestrator service account. The full list of these commands below: |Shell Command|Used For| |---|---| @@ -116,9 +116,9 @@ The version number of a the Remote File Orchestrator Extension can be verified b |orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store. Used for the RFORA store type only.| |gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| -2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. +2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file. -3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent. Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.
From 05c0a700ed71c6f9c136fb38f0029b713eb92aa3 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 25 Apr 2024 16:20:33 +0000 Subject: [PATCH 106/108] Update generated README --- README.md | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 205412d0..89923416 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux |Supports Management Remove|✓ |✓ | |Supports Create Store|✓ |✓ | |Supports Discovery|✓ |✓ | -|Supports Renrollment| | | +|Supports Reenrollment| | | |Supports Inventory|✓ |✓ | @@ -137,7 +137,9 @@ Use cases supported: 2. Single certificate stores with private key in the file. 3. Single certificate stores with certificate chain and private key in the file. 4. Single certificate stores with private key in an external file. -5. Single certificate stores with certificate chain in the file and private key in an external file +5. Single certificate stores with certificate chain in the file and private key in an external file + +NOTE: PEM stores may only have one private key (internal or external) associated with the store, as only one certificate/chain/private key combination can be stored in a PEM store supported by RFPEM.
@@ -177,7 +179,11 @@ Use cases supported:
-While the Keyfactor Universal Orchestrator (UO) and RemoteFile Orchestrator Extension can be installed on either Windows or Linux, the Remote File Orchestrator Extension can also *manage* certificate stores residing on both Windows and Linux servers. When the RemoteFile Orchestrator Extension is installed on a Windows or Linux server and is used to manager *other* Windows or Linux servers hosting certificate stores, it is said to be acting as an *orchestrator*, managing certificate stores on one or more *other* orchestrated servers. When the Remote File Orchestrator Extension manages only certificate stores residing on the *same* server, it is said to be acting as an *agent*. When acting as an orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and operate directly on the server's file system. Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: +The Keyfactor Univeral Orchestrator (UO) and RemoteFile Extension can be installed on either Windows or Linux operating systems as well as manage certificates residing on servers of both operating systems. A UO service managing certificates on remote servers is considered to be acting as an Orchestrator, while a UO service managing local certificates on the same server running the service is considered an Agent. When acting as an Orchestrator, connectivity from the orchestrator server hosting the RemoteFile extension to the orchestrated server hosting the certificate store(s) being managed is achieved via either an SSH (for Linux and possibly Windows orchestrated servers) or WinRM (for Windows orchestrated servers) connection. When acting as an agent, SSH/WinRM may still be used, OR the certificate store can be configured to bypass these and instead directly access the orchestrator server's file system. + +![](images/orchestrator-agent.png) + +Please review the [Prerequisites and Security Considerations](#prerequisites-and-security-considerations) and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) sections for more information on proper configuration and setup for these different architectures. The supported configurations of Universal Orchestrator hosts and managed orchestrated servers are detailed below: | | UO Installed on Windows | UO Installed on Linux | |-----|-----|------| @@ -197,7 +203,7 @@ The version number of a the Remote File Orchestrator Extension can be verified b
Certificate stores hosted on Linux servers: -1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". The full list of these commands below: +1. The Remote File Orchestrator Extension makes use of a few common Linux commands when managing stores on Linux servers. If the credentials you will be connecting with need elevated access to run these commands or to access the certificate store files these commands operate against, you must set up the user id as a sudoer with no password necessary and set the config.json "UseSudo" value to "Y". When RemoteFile is using orchestration, managing local or external certificate stores using SSH or WinRM, the security context is determined by the user id entered in the Keyfactor Command certificate store or discovery job screens. When RemoteFile is running as an agent, managing local stores only, the security context is the user id running the Keyfactor Command Universal Orchestrator service account. The full list of these commands below: |Shell Command|Used For| |---|---| @@ -211,9 +217,9 @@ The version number of a the Remote File Orchestrator Extension can be verified b |orapki|Oracle Wallet CLI utility used by Inventory and Management Add/Remove jobs to manipulate an Oracle Wallet certificate store. Used for the RFORA store type only.| |gskcapicmd|IBM Key Database CLI utility used by Inventory and Management Add/Remove jobs to manipulate an IBM Key Database certificate store. Used for the RFKDB store type only.| -2. The Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. +2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file. -3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. +3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent. Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above.
@@ -557,10 +563,11 @@ For Linux orchestrated servers, "Client Machine" should be the DNS name or IP ad * dns-or-ip is the DNS name or IP address of the server * port is the port WinRM is running under, usually 5985 for http and 5986 for https. -If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. +Example: https://myserver.mydomain.com:5986 -
+If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), Client Machine can be entered as stated above, OR you can bypass SSH/WinRM and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a cerificate store that will accessed without a WinRM/SSH connection. +
Store Path (certificate stores only) @@ -618,3 +625,6 @@ Steps to create a new supported file based certificate store type: [Apache](https://apache.org/licenses/LICENSE-2.0) +When creating cert store type manually, that store property names and entry parameter names are case sensitive + + From 829ead05ca02665c54d43f7f16dd7c491b858cca Mon Sep 17 00:00:00 2001 From: leefine02 Date: Thu, 25 Apr 2024 16:21:33 +0000 Subject: [PATCH 107/108] ab#55565 --- readme_source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme_source.md b/readme_source.md index 03607751..b77ef7da 100644 --- a/readme_source.md +++ b/readme_source.md @@ -125,7 +125,7 @@ Please reference [Configuration File Setup](#configuration-file-setup) for more
Certificate stores hosted on Windows servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension. +1. When orchestrating management of external (and potentially local) certificate stores, the RemoteFile Orchestrator Extension makes use of WinRM to connect to external certificate store servers. The security context used is the user id entered in the Keyfactor Command certificate store or discovery job screen. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores/discovery jobs. If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension.
From db04addbfddfa028c5b54f6e485279128b0b3bdb Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 25 Apr 2024 16:22:07 +0000 Subject: [PATCH 108/108] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 89923416..8fa8fae8 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,7 @@ Please reference [Configuration File Setup](#configuration-file-setup) for more
Certificate stores hosted on Windows servers: -1. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores When creating a new certificate store in Keyfactor Command. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension. +1. When orchestrating management of external (and potentially local) certificate stores, the RemoteFile Orchestrator Extension makes use of WinRM to connect to external certificate store servers. The security context used is the user id entered in the Keyfactor Command certificate store or discovery job screen. Make sure that WinRM is set up on the orchestrated server and that the WinRM port (by convention, 5585 for HTTP and 5586 for HTTPS) is part of the certificate store path when setting up your certificate stores/discovery jobs. If running as an agent, managing local certificate stores, local commands are run under the security context of the user account running the Keyfactor Universal Orchestrator Service. Please reference [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on creating certificate stores for the RemoteFile Orchestrator Extension.